sFlow

From Wikipedia, the free encyclopedia

sFlow is a relatively new standard for monitoring computer networks. sFlow specification (RFC 3176) and its first implementation were both launched in 2001.

1 sFlow
2 See also
3 External links

[edit] sFlow

The sFlow standard describes a mechanism to capture traffic data in switched or routed networks. It uses a sampling technology to collect statistics from the device and is for this reason applicable to high speed networks (at gigabit speeds or higher).

An sFlow agent is the implementation of the sampling mechanism on the hardware (for example a switch). The sFlow collector is a central server which collects the sFlow datagrams from all agents to store or (later) analyze them. The sFlow agent uses two forms of operation: statistical packet-based sampling of switched or routed packets, and time-based sampling of interface counters.

[edit] Flowsamples

Based on a defined sampling rate, either for the complete agent or for a single interface, 1 out of N packets is captured and sent to a collector server. This type of sampling does not provide a 100% accurate result in the analysis but it does provide a result with quantifiable accuracy.

[edit] Countersamples

A polling interval defines how often the sFlow octet and packet counter for a specific interface are sent to the collector, but an sFlow agent is free to schedule polling in order maximize internal efficiency. If the regular schedule is chosen, each counter start time will be chosen differently to smoothen performance.

[edit] sFlow Datagram

The sampled data is sent as a UDP packet to the specified host and port on the sFlow collector. The default port is 6343. The lack of reliability in the UDP transport mechanism does not significantly affect the accuracy of the measurements obtained from an sFlow agent. If counter samples are lost then new values will be sent when the next polling interval has passed. The loss of packet flow samples is a slight reduction in the effective sampling rate.

The UDP payload contains the sFlow datagram. Each datagram provides information about the sFlow version, its originating agent’s IP address, a sequence number, how many samples it contains and usually up to 10 flow samples or counter samples.

(RFC 3176) defines sFlow version 2 till 4. A memo by InMon Corp. describes sFlow version 5.