cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4753
Views
5
Helpful
1
Replies

Stealthwatch setup and functionalities

ciscoworlds
Level 4
Level 4

Hi;

I'm working on Stealthwatch and to practice it's futures I downloaded the "Trial" virtual components (version 6.10.2) and installed/configured in this order:

  1. I installed Flow Collector virtual.
  2. I installed Management Console virtual.
  3. I created management channel between Flow Collector and Management Console.
  4. There was no Netflow capable device that I could use, so I had to install Flow Sensor virtual. 
  5. On Flow Sensor I added flow collector & management console IP addresses. 

s1.png

 

6. Flow Sensor virtual had 2 interfaces, which I connect the first one to my management network and the 2nd interface to another standard vSwitch on my vSphere client. I Assigned a physical interface to that vSwitch and attached it to a SPAN port on the physical switch. 

s2.png

 

7. I changed the Promiscuous mode on the above port group (TFSensor) to "Accept". 

8. The home page on the Flow Collector shows that I'm receiving flows. 

 

s3.png

 

9. But I don't see any information on Management Console. I shows only 3 devices as this but nothing else.

 

s4.png

 

Also I didn't managed to find "any" documents or user guides for the stealthwatch except ones currently are on the Cisco website which use SMC java client for version 6.9. But I only can see webUI which doesn't have to do anything to the menu structures of the SMC java client. So besides the issue that I mentioned up to this point,

  • Do I need to use that client for version 6.10.2? 
  • Where can I find SMC user guides for WebUI? 
  • Does Flow Sensor communicate with Flow Collector through UDP:2055 ?
  • What is the limitations of the Trial version?
1 Accepted Solution

Accepted Solutions

dcavalla
Cisco Employee
Cisco Employee

Hello,

the fact that you don't see the full traffic from the main dashboard is normal: that is designed to show only active alarms.

In order to use the java client, please click on Desktop Client (top right corner on the screenshot).

 

From the webUI you can run Analyze->Flow Search and run a query to see every flow recevied by the flow collector.

 

The contextual guide available in the help menu is the best guide I can suggest for the WebUI.

 

I'll reply per points now:

- It depends on what you'll need to do. If your role is security analyst probably not. If you need to manage any of the advanced features, than yes.

- Contextual menu

- UDP:2055 and TCP:443 if you point the flow sensor to the SMC (Management System configuration option). 2055 is the default port number. You can change it.

- 60 days as per https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/release_notes/SW_6_10_2_Release_Notes_DV_1_2.pdf.

 

Hope this helps.

 

Dario

View solution in original post

1 Reply 1

dcavalla
Cisco Employee
Cisco Employee

Hello,

the fact that you don't see the full traffic from the main dashboard is normal: that is designed to show only active alarms.

In order to use the java client, please click on Desktop Client (top right corner on the screenshot).

 

From the webUI you can run Analyze->Flow Search and run a query to see every flow recevied by the flow collector.

 

The contextual guide available in the help menu is the best guide I can suggest for the WebUI.

 

I'll reply per points now:

- It depends on what you'll need to do. If your role is security analyst probably not. If you need to manage any of the advanced features, than yes.

- Contextual menu

- UDP:2055 and TCP:443 if you point the flow sensor to the SMC (Management System configuration option). 2055 is the default port number. You can change it.

- 60 days as per https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/release_notes/SW_6_10_2_Release_Notes_DV_1_2.pdf.

 

Hope this helps.

 

Dario