BackendSide sFlow Collector & Analyzer

1. Overview

BackendSide sFlow Collector & Analyzer is a Windows desktop application that listens for sFlow v5 datagrams from your network devices and presents the data as a rich, browser-based analytics platform — no cloud required, no agents to deploy on managed hosts, no subscriptions.

The application has two main components running side-by-side:

UDP Collector — listens on a configurable IP and port (default 0.0.0.0:6343) for sFlow v5 packets from switches, routers, and hypervisors
Web Server — a built-in HTTP/HTTPS server that serves the analytics interface to any browser on your network

All collected flow data is stored in per-agent SQLite databases inside your Windows AppData folder. Data is retained in a rolling 8-hour window and is available for querying across four time horizons: 5 minutes, 15 minutes, 1 hour, and 1 day.

Note: sFlow v5 must be enabled on your network devices and pointed at the IP address of the Windows machine running BackendSide sFlow Collector. See your switch/router documentation for sFlow export configuration.

2. Quick Start

1

Install BackendSide sFlow Collector from the Microsoft Store.

2

Launch the application. It starts the UDP collector and web server automatically on first run.

3

Open the Settings page within the app to confirm or change the collection IP/port and web server IP/port.

4

Configure your switches/routers to export sFlow v5 to the collection IP and port shown in Settings.

5

Open a browser and navigate to http://<your-pc-ip>:<webserver-port> — you will be taken to the login page.

6

Log in with your credentials. Once flow data starts arriving, the Dashboard will populate within seconds.

Firewall: Ensure Windows Firewall allows inbound UDP traffic on the collection port (default 6343) and inbound TCP traffic on the web server port.

3. Server Setup & Configuration

All server settings are managed from the Settings page inside the application. No config files need to be edited manually.

3.1 sFlow Collection — IP & Port

The sFlow collector is a UDP listener that receives sFlow v5 datagrams from your network devices.

Collection IP — the Settings page lists all IP addresses currently assigned to your Windows machine (all network interfaces). Select the IP that your switches will send sFlow traffic to. Choose 0.0.0.0 to listen on all interfaces simultaneously.
Collection Port — the UDP port the collector listens on. Default is 6343 (the IANA-assigned sFlow port). Change this only if your devices export to a non-standard port.

Tip: Most managed switches default to sending sFlow to UDP port 6343. Check your switch CLI or web UI — look for settings labelled "sFlow collector address" and "sFlow collector port".

3.2 Web Server — IP & Port

The embedded web server delivers the analytics interface to browsers on your network.

Web Server IP — select from the list of available system IPs, or choose 0.0.0.0 to accept connections on all interfaces. Restricting to a specific IP limits access to clients reachable via that interface only.
Web Server Port — the TCP port browsers connect to. Choose any available port. Common choices are 8080 (HTTP) or 8443 (HTTPS). If SSL is enabled the browser will connect via HTTPS.

3.3 SSL / HTTPS Setup

BackendSide sFlow Collector includes a built-in self-signed certificate generator so you can enable HTTPS without any external PKI or certificate purchase.

Enabling SSL with a Self-Signed Certificate

1

Go to Settings → Web Server in the application.

2

Click "Generate Self-Signed Certificate". The app creates a certificate and private key tied to the selected web server IP.

3

Toggle SSL On.

4

Click "Restart Server" to apply. The web server will now listen on HTTPS.

5

Access the interface at https://<ip>:<port>. Your browser will show a certificate warning for self-signed certs — proceed through it or import the certificate into your browser's trusted store.

Production environments: For deployments where browser warnings are unacceptable, replace the self-signed certificate with one issued by an internal CA or a public CA (e.g. Let's Encrypt). Place the certificate and key files in the location shown in Settings before restarting the server.

3.4 Applying Configuration Changes

After changing any IP, port, or SSL setting, click the "Restart Server" button. The application will:

Stop the current UDP collector and web server
Apply the new configuration
Restart both services on the new IP/port

Flow data already collected is not lost during a restart. In-memory buffers are flushed to SQLite before the restart completes.

Remember: If you change the collection IP or port, update the sFlow export destination on your switches/routers to match the new settings, otherwise flow data will stop arriving.

4. Logging In

The analytics interface requires authentication. Navigate to http(s)://<ip>:<port> and you will be redirected to the login page if no valid session exists.

Enter your username and password and click Log In.
A session cookie (sessionid) is set on successful login and is valid until you log out or the session expires.
To log out, click the Logout link in the navigation sidebar.

Static assets (CSS, JS, images) do not require a session — only HTML pages and API endpoints are protected.

5. Dashboard

The Dashboard is the home page and provides a real-time overview of all traffic seen from the selected sFlow agent.

Agent Selector

The dropdown at the top of every page lists all sFlow agents (devices) that have sent data to the collector. Select an agent to view analytics for that specific device. The first agent is selected automatically on page load.

Summary Cards

Five cards update in real-time for the selected time window:

Total FlowsNumber of sFlow records received in the selected window

Total BandwidthCombined bytes transferred across all observed flows

Top ProtocolThe most-used protocol (TCP / UDP / ICMP / other) by byte volume

Top SourceThe IP address generating the most outbound traffic

Top DestinationThe IP address receiving the most inbound traffic

Dashboard Charts

Traffic Over Time — time-series line chart of bytes/packets per interval
Top Sources — bar chart of the top 10 source IPs by byte volume
Top Destinations — bar chart of the top 10 destination IPs
Protocol Distribution — pie chart of TCP vs UDP vs ICMP vs other
Top Talker Pairs — bar chart of the top source↔destination conversation pairs

Time Window

Use the time selector (5m / 15m / 1h / 1d) to change the analysis window. All cards and charts update immediately. The 5-minute view gives the sharpest picture of current activity; the 1-day view shows long-term trends.

6. Traffic Analytics

The Traffic page has six tabs, each providing a different lens on your network traffic. Select your agent and time window at the top — all tabs respond to the same selection.

Conversations

A ranked table of every unique source IP ↔ destination IP pair observed, sorted by total bytes. Each row shows bytes, packets, flow count, top protocol, and first/last seen timestamps. Click any row to drill into the individual flows that make up that conversation.

Top Sources

Ranks all source IP addresses by outbound byte volume. Click a source IP to see a drill-down showing which destination IPs that host was talking to and on which protocols.

Top Destinations

Ranks all destination IPs by inbound byte volume. Drill down to see which source IPs were sending traffic to each destination.

Top Talkers

A bidirectional view combining sent and received bytes per host — useful for identifying the highest-impact endpoints regardless of direction.

Protocols

Protocol distribution shown as both a pie chart (share of total traffic) and a stacked bar chart (volume over time per protocol). Covers TCP, UDP, ICMP, and other IP protocols.

Applications / Ports

Maps destination port numbers to well-known application names (HTTP/80, HTTPS/443, DNS/53, RDP/3389, SMB/445, SMTP/25, SSH/22, etc.) and ranks them by traffic volume. Identifies what applications are consuming bandwidth on your network.

7. VLAN Intelligence

The VLAN page requires that your sFlow-exporting devices include VLAN tags in their sFlow samples (most managed switches do this by default).

VLAN Summary

A table listing every VLAN ID observed in the sFlow data, with total bytes, packets, flow count, and the top host for each VLAN. Quickly see which VLANs carry the most traffic.

Inter-VLAN Matrix

A colour-coded matrix where each cell shows the traffic volume between a pair of VLANs. Darker cells indicate higher traffic. Use this to:

Verify that VLAN separation policies are being enforced
Identify unexpected cross-VLAN flows (possible misrouting or security policy violations)
Understand inter-VLAN routing load on your core switch or firewall

Priority / QoS

Shows the distribution of 802.1p CoS (Class of Service) priority bits across all observed frames. Priority values range from 0 (best-effort) to 7 (network control). Use this to verify that:

Voice traffic (typically priority 5–6) is correctly marked
Video conferencing (typically priority 4–5) is separated from bulk data
Network control traffic (priority 7) is not being misused

VLAN Heatmap

A time-of-day × VLAN grid showing traffic intensity for each VLAN across 24 hours. Useful for capacity planning — identify which VLANs peak at which times of day and whether peaks overlap in ways that stress your uplinks.

8. Interface Analytics

Interface data is derived from the ifIndex values in sFlow samples. Your switch must be configured to include interface counters in sFlow exports for full utilisation data.

Top Interfaces

Ranks all switch interfaces (by ifIndex) by total bytes, packets, and flow count. Instantly see which ports are busiest and which are idle.

Utilisation

Shows each interface as a percentage of its configured speed, displayed as a horizontal progress bar:

Green — under 60% utilisation
Amber — 60–85% utilisation (approaching capacity)
Red — above 85% utilisation (potential bottleneck)

Use this view to proactively identify congested uplinks before users notice performance problems.

VM Traffic

Separates traffic on virtual interfaces (hypervisor vSwitches, VMware virtual NICs, OVS ports) from physical interfaces. This is especially useful in environments where VMware ESXi or Hyper-V is configured to export sFlow from the virtual switch — you can distinguish east-west VM-to-VM traffic from north-south physical traffic.

9. Security Detection

The Security page provides real-time threat detection derived entirely from sFlow data — no separate IDS probe or SPAN port required.

Port Scan Detection

Identifies hosts that contact an unusually high number of distinct destination ports within the selected time window. This pattern is characteristic of automated port scanners and reconnaissance tools.

Threshold — configurable on the page. Lower values catch slow scans; higher values reduce false positives for legitimate servers (e.g. load balancers). Default: 100 distinct ports.
Results table — shows scanner IP, number of distinct ports hit, targeted destination hosts, protocols used, and first/last seen timestamps.
Action — use the source IP to locate the scanning device on your network and investigate whether it is a legitimate scanner (Nmap, vulnerability scanner) or a compromised host.

SYN Flood Detection

Monitors TCP SYN vs SYN-ACK ratios. A large imbalance (many SYNs, few SYN-ACKs) indicates a SYN flood — either an inbound DDoS or a misconfigured/compromised internal host.

Results table — shows attacker IP, target IP, SYN rate, SYN:SYN-ACK ratio, severity score, and duration.
Severity — scored based on SYN rate and ratio; helps prioritise which events need immediate attention.
Action — for external SYN floods, consider upstream filtering or rate-limiting. For internal sources, isolate the host and investigate for malware.

10. Performance Monitoring

Baseline Deviation

Compares the current traffic rate for each source/destination against a computed rolling baseline. Hosts or flows that deviate significantly from their normal rate are flagged.

Positive deviation (traffic spike) — possible DDoS ingress, backup job, bulk transfer, or application failure
Negative deviation (traffic drop) — possible link failure, device down, or application crash

The table shows the host IP, its baseline rate, its current rate, the percentage deviation, and a direction indicator.

Sequence Gaps

sFlow agents include a sequence number in each datagram. This view analyses sequence numbers per agent to detect gaps (missed datagrams). Gaps indicate:

The network path between agent and collector is dropping UDP packets
The sFlow agent on the switch is overloaded (high CPU/buffer overflow)
The collector machine was temporarily unable to process all incoming datagrams

If you see persistent sequence gaps, consider increasing the sFlow sampling interval on the sending device, or moving the collector to a closer network segment.

11. Layer 2 & ARP Analytics

The Layer 2 page is the most comprehensive component of BackendSide sFlow Collector, with ten tabs dedicated to ARP and MAC-layer intelligence. ARP data is extracted directly from sFlow-sampled Ethernet frames — no separate ARP inspection or SPAN configuration is needed beyond your standard sFlow export.

ARP SummaryTotal ARP request/reply counts, unique MAC count, top ARP talkers

ARP Top TalkersHosts ranked by ARP volume — flags chatty or misconfigured devices

ARP Scan DetectionHosts probing many IPs via ARP — reconnaissance/sweep detection

ARP Spoof DetectionIP↔MAC conflicts — classic ARP poisoning / MITM indicators

ARP Over TimeTime-series of ARP volume — spots floods and unusual bursts

VLAN DistributionARP traffic per VLAN — identifies high-ARP segments

New MAC DetectionFirst-seen log of every MAC address — rogue device detection

Broadcast AnalysisBroadcast volume per VLAN and per host — broadcast storm diagnosis

Retry PatternsUnanswered ARP requests — points to missing hosts or blackholed traffic

MAC FlappingMACs moving between ports/VLANs — loop or MITM detection

Duplicate IP DetectionMultiple MACs claiming the same IP — IP conflict identification

Host HistoryFull IP↔MAC binding timeline for a host — forensic investigation

Vendor DistributionOUI-based manufacturer breakdown — inventory & rogue device hunting

ARP Spoof Detection — How It Works

The detector flags two patterns:

One IP, multiple MACs — two or more different MAC addresses are claiming the same IP address. Typical of ARP poisoning where an attacker is redirecting traffic to their NIC.
One MAC, multiple IPs — a single MAC address is responding to ARP requests for multiple different IP addresses. Typical of a MITM tool or a misconfigured multi-address interface.

New MAC Detection — Use for Rogue Devices

Every MAC address seen for the first time (within the current data window) is logged with its first-seen timestamp, IP address, and VLAN. You can use this as a lightweight NAC (Network Access Control) visibility tool — any unexpected MAC appearing on a VLAN you don't manage warrants investigation.

Host History — Forensic Investigation

Enter an IP address to retrieve a full timeline of every MAC address that IP has been bound to, with timestamps. This is invaluable when investigating incidents: you can trace exactly when a device moved, changed its MAC, or was replaced.

12. Multi-Agent Management

BackendSide sFlow Collector supports unlimited sFlow agents simultaneously. Every device that sends sFlow datagrams to the collector is automatically discovered and added to the agent list.

Agent dropdown — available on every analytics page. Select the device you want to analyse.
Per-agent databases — each agent stores its data in a separate SQLite file named after its IP address (e.g. 192-168-1-1.db) inside your AppData folder. This prevents data mixing and makes individual backups trivial.
Rolling retention — each agent database retains 8 hours of flow data. Older records are pruned automatically.
No configuration needed — as soon as a new device starts sending sFlow to the collector IP:port, it appears in the dropdown.

Multiple sites: If you run multiple instances of BackendSide on different Windows machines (one per site), each collector independently manages its own agents. Use the web interface of each instance to analyse its local agents.

13. Tips & Best Practices

sFlow Sampling Rate

sFlow works by sampling 1-in-N packets. Common rates are 1:512, 1:1024, or 1:2048. Lower rates (e.g. 1:128) give higher accuracy but increase CPU load on the switch and UDP bandwidth to the collector. Start with 1:512 on a 1 Gbps link and adjust based on collector load.

Polling Interval

Interface counter polling interval (separate from packet sampling) is typically set to 30–60 seconds. Shorter intervals give more precise utilisation data but increase sFlow overhead.

Firewall Rules

Ensure the following ports are open on the Windows machine running the collector:

UDP inbound on the sFlow collection port (default 6343) — from all sFlow agent IPs
TCP inbound on the web server port — from all client browser IPs

Browser Compatibility

The analytics interface is tested on current versions of Chrome, Firefox, Edge, and Safari. JavaScript must be enabled. The interface is responsive and works on tablets but is optimised for desktop use.

Dark / Light Theme

Click the theme toggle button in the top-right corner of any page to switch between dark and light mode. Your preference is saved in localStorage and persists across sessions.

Data Not Appearing?

Verify your switch is configured to export sFlow to the correct collector IP and port
Check Windows Firewall is not blocking inbound UDP on the collection port
Confirm the sFlow version on your device is v5 (v1/v2/v4 are not supported)
Check the collector status indicator in the application — it shows whether the UDP listener is active
Use a packet capture (Wireshark) on the collector machine to verify sFlow datagrams are arriving on the expected port