SFlow
   HOME

TheInfoList



Click Here for Items Related To - SFlow
OR:
SFlow on:   [Wikipedia]   [Google]   [Amazon]

sFlow, short for "sampled flow", is an industry standard for
packet Packet may refer to: * A small container or pouch ** Packet (container), a small single use container ** Cigarette packet ** Sugar packet * Network packet, a formatted unit of data carried by a packet-mode computer network * Packet radio, a form ...
export at Layer 2 of the
OSI model The Open Systems Interconnection (OSI) model is a reference model developed by the International Organization for Standardization (ISO) that "provides a common basis for the coordination of standards development for the purpose of systems inter ...
. sFlow was originally developed by InMon Corp. It provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring. Maintenance of the protocol is performed by the sFlow.org consortium, the authoritative source of the sFlow protocol specifications. The current version of sFlow is v5.


Operation

sFlow uses mandatory sampling to achieve
scalability Scalability is the property of a system to handle a growing amount of work. One definition for software systems specifies that this may be done by adding resources to the system. In an economic context, a scalable business model implies that ...
and is, for this reason, applicable to high speed networks (
gigabit per second In telecommunications, data transfer rate is the average number of bits (bitrate), characters or symbols ( baudrate), or data blocks per unit time passing through a communication link in a data-transmission system. Common data rate units are mult ...
speeds and higher). sFlow is supported by multiple network device manufacturers and
network management Network management is the process of administering and managing computer networks. Services provided by this discipline include fault analysis, performance management, provisioning of networks and maintaining quality of service. Network managem ...
software vendors. An sFlow system consists of multiple devices performing two types of sampling: random sampling of packets or
application layer An application layer is an abstraction layer that specifies the shared communication protocols and interface methods used by hosts in a communications network. An ''application layer'' abstraction is specified in both the Internet Protocol Su ...
operations, and time-based sampling of counters. The sampled packet/operation and counter information, referred to as ''flow samples'' and ''counter samples'' respectively, are sent as ''sFlow datagrams'' to a central server running software that analyzes and reports on network traffic; the ''sFlow collector''.


Flow samples

Based on a defined sampling rate, an average of 1 out of n packets/operations is randomly sampled. This type of sampling does not provide a 100% accurate result, but it does provide a result with quantifiable accuracy.


Counter samples

A polling interval defines how often the network device sends interface counters. sFlow counter sampling is more efficient than
SNMP Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically su ...
polling when monitoring a large number of interfaces.


sFlow datagrams

The sampled data is sent as a UDP packet to the specified host and port. The official port number for sFlow is port 6343. The lack of reliability in the UDP transport mechanism does not significantly affect the accuracy of the measurements obtained from an sFlow agent. If counter samples are lost then new values will be sent when the next polling interval has passed. The loss of packet flow samples results in a slight reduction of the effective sampling rate. The UDP payload contains the ''sFlow datagram''. Each datagram provides information about the sFlow version, the originating device’s
IP address An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...
, a sequence number, the number of samples it contains and one or more flow and/or counter samples.


sFlow versions


Related technologies

A well known alternative is
NetFlow NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine thing ...
(see below). Moreover, depending on the IT resources available it could be possible to perform full packet captures using dedicated network taps (which are then subsequently analysed).


NetFlow, IPFIX

*
NetFlow NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine thing ...
and
IPFIX Internet Protocol Flow Information Export (IPFIX) is an IETF protocol, as well as the name of the IETF working group defining the protocol. It was created based on the need for a common, universal standard of export for Internet Protocol flow infor ...
are flow export protocols that aim at aggregating packets into flows. After that, flow records are sent to a collection point for storage and analysis. sFlow, however, has no notion of flows or packet aggregation at all. * sFlow allows for exporting packet data chunks and interface counters, which are non-typical features of flow export protocols. Note however that (recent)
IPFIX Internet Protocol Flow Information Export (IPFIX) is an IETF protocol, as well as the name of the IETF working group defining the protocol. It was created based on the need for a common, universal standard of export for Internet Protocol flow infor ...
developments provide a means for exporting
SNMP Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically su ...
MIB The byte is a unit of digital information that most commonly consists of eight bits. Historically, the byte was the number of bits used to encode a single character of text in a computer and for this reason it is the smallest addressable un ...
variables and packet data chunks. * While flow export can be performed with 1:1 sampling (''i.e.'', considering every packet), this is typically not possible with sFlow, as it was not designed to do so. Sampling forms an integral part of sFlow, aiming to provide scalability for network-wide monitoring.


See also

*
NetFlow NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine thing ...
*
Network Management Network management is the process of administering and managing computer networks. Services provided by this discipline include fault analysis, performance management, provisioning of networks and maintaining quality of service. Network managem ...
*
Packet analyzer A packet analyzer (also packet sniffer or network analyzer) is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capt ...
*
RMON The Remote Network Monitoring (RMON) MIB was developed by the IETF to support monitoring and protocol analysis of local area networks (LANs). The original version (sometimes referred to as RMON1) focused on OSI layer 1 and layer 2 information i ...


References


External links


Official site

Differences between Sflow vs Netflow
{{DEFAULTSORT:Sflow Computer network analysis