sFlow
What Is sFlow?
Sampled Flow (sFlow) is a traffic monitoring technology that collects traffic statistics by sampling packets and analyzing them. It evaluates traffic on a per-interface basis to provide real-time monitoring, detect unusual traffic patterns, and quickly identify the source of any attack traffic. This capability significantly aids enterprises in performing routine inspections and maintenance.
How Does sFlow Work?
Architecture of an sFlow System
An sFlow system is comprised of two main components: an sFlow agent and a remote sFlow collector, as illustrated in the figure below. The sFlow agent samples packets from an interface to gather traffic statistics, which are then encapsulated into sFlow packets. When the sFlow packet cache becomes full or when the sFlow packets reach their aging period (1 second), the sFlow agent transmits these packets to the sFlow collector. The collector then analyzes the sFlow packets and presents the analysis results.
sFlow Packet
sFlow packets are encapsulated with UDP. By default, they use the well-known destination port number 6343. These packets have several header formats: Flow sample, Expanded Flow sample, Counter sample, and Expanded Counter sample. Expanded Flow sample and Expanded Counter sample were introduced in sFlow version 5 as extensions of the Flow sample and Counter sample, and they are not compatible with earlier versions. Any extended sampling content must be encapsulated in the Expanded Flow sample or Expanded Counter sample format.
sFlow Sampling
An sFlow agent offers both flow sampling and counter sampling.
-
Flow Sampling
In flow sampling, an sFlow agent samples packets in a designated direction on a particular interface using a specified sampling rate, then analyzes these packets to extract information about their data content. Flow sampling is centered on traffic details, which aids in monitoring and analyzing traffic behaviors within the network.
| Field | Description | |
| Raw Packet |
Records the entire packet header or part of the packet header, depending on the configuration.
|
|
| Ethernet Frame Data | Records Ethernet headers in Ethernet frames. | |
| IPv4 Data | Records IPv4 headers in IPv4 packets that are forwarded at Layer3. | |
| IPv6 Data | Records IPv6 headers in IPv6 packets that are forwarded at Layer3. | |
| Extended Switch Data | Records VLAN translation and 802.1Q priority mapping information in Ethernet frames. VLAN ID 0 indicates an invalid VLAN. | |
| Extended Router Data | Records routing information of packets. |
Main fields in flow sampling packets
-
Counter Sampling
In counter sampling, an sFlow agent periodically gathers traffic statistics from an interface. The main fields in counter sampling packets are outlined in the following table. Unlike flow sampling, counter sampling emphasizes overall traffic statistics on an interface rather than specific traffic details.
| Field | Description |
|
Generic Interface Counters
|
Records basic interface information and traffic statisticson interfaces.
|
|
Ethernet Interface Counters
|
Records traffic statistics on an Ethernet interface.
|
| Processor Information |
Records CPU usage and memory usage of a device.
|
| Optical SFP/QSFP metrics | Records indicator data of SFP/QSFP optical modules. |
Main fields in counter sampling packets
Why Do We Need sFlow?
Unlike carrier networks, enterprise networks are smaller, more adaptable, and often face higher risks of attack. To minimize and manage service disruptions, enterprises need a traffic monitoring solution to quickly identify unusual traffic and determine the source of potential attacks. sFlow addresses this need by offering interface-based traffic analysis, thereby enhancing preventive maintenance for enterprise networks.
sFlow vs NetStream
NetStream also collects and analyzes network traffic statistics, but it is specifically a network flow statistics collection technique. A NetStream-enabled device gathers and performs preliminary analysis on network flows, storing these statistics in its buffer. The device then exports flow statistics once the buffer is full or the data ages out. In contrast, sFlow does not require a buffer; network devices simply sample packets, and a remote sFlow collector gathers and analyzes the traffic statistics.
sFlow offers several advantages over NetStream:
-
Reduced Resources and Costs: Since sFlow does not create flow tables, it requires fewer resources from network devices, which reduces costs.
-
Flexible Collector Deployment: The collector can be deployed flexibly, allowing traffic statistics to be gathered and analyzed based on different traffic characteristics.
Application Scenarios of sFlow
Enterprises often need to monitor the traffic on device interfaces and the overall performance of their devices. They require a traffic monitoring technique that can sample packets at device interfaces to quickly identify abnormal traffic and the source of any attack, allowing for rapid fault resolution to keep their networks running smoothly. sFlow is designed to focus on interface traffic, traffic forwarding, and overall device status, making it ideal for monitoring and identifying network issues, particularly in enterprise environments.
As depicted in the following figure, an sFlow agent connects to a remote sFlow collector to gather and analyze traffic statistics based on interfaces.
Email Address
PoE vs PoE+ vs PoE++ Switch: How to Choose?
May 30, 2024
-