SFlow

Quality 0.50 · 1 view · Updated 2 months ago

Network packet standard

title: "SFlow" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["computer-network-analysis"] description: "Network packet standard" topic_path: "general/computer-network-analysis" source: "https://en.wikipedia.org/wiki/SFlow" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0

::summary Network packet standard ::

sFlow, short for "sampled flow", is an industry standard for packet export at Layer 2 of the OSI model. sFlow was originally developed by InMon Corp. It provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring. Maintenance of the protocol is performed by the sFlow.org consortium,{{cite web | url = http://www.sflow.org/ | title = sFlow.org - Making the Network Visible | publisher = sFlow.org | accessdate = 2016-03-09

Operation

sFlow uses mandatory sampling to achieve scalability{{cite web | url = http://www.hpl.hp.com/techreports/92/HPL-92-35.pdf | title = Traffic Estimation for the Largest Sources on a Network, Using Packet Sampling with Limited Storage | first1 = Jonathan | last1 = Jedwab | first2 = Peter | last2 = Phaal | first3 = Bob | last3 = Pinna |date=March 1992 | publisher = HP Labs | accessdate = 2016-03-09 | url = https://events.ccc.de/congress/2006/Fahrplan/attachments/1137-sFlowPaper.pdf | title = sFlow, I can feel your traffic | first = Elisa | last = Jasinska |date=December 2006 | publisher = Amsterdam Internet Exchange (AMS-IX) | accessdate = 2016-03-09 | url = http://www.sflow.org/products/network.php | title = sFlow Products: Network Equipment | publisher = sFlow.org | accessdate = 2016-03-09 | url = http://www.sflow.org/products/collectors.php | title = sFlow Products: sFlow Collectors | publisher = sFlow.org | accessdate = 2016-03-09

An sFlow system consists of multiple devices performing two types of sampling: random sampling of packets{{cite web | url = http://www.sflow.org/sflow_version_5.txt | title = sFlow Version 5 | first1 = Peter | last1 = Phaal | first2 = Marc | last2 = Lavine |date=July 2004 | publisher = sFlow.org | accessdate = 2014-06-26 | url = http://www.sflow.org/sflow_host.txt | title = sFlow Host Structures | first1 = Peter | last1 = Phaal | first2 = Robert | last2 = Jordan |date=July 2010 | publisher = sFlow.org | accessdate = 2010-10-23 | url = http://www.sflow.org/sFlowOverview.pdf | title = Traffic Monitoring using sFlow | year = 2003 | publisher = sFlow.org | accessdate = 2010-10-23

Flow samples

Based on a defined sampling rate, an average of 1 out of n packets/operations is randomly sampled. This type of sampling does not provide a 100% accurate result, but it does provide a result with quantifiable accuracy.{{cite web | url = http://www.sflow.org/packetSamplingBasics/index.htm | title = Packet Sampling Basics | first1 = Peter | last1 = Phaal | first2 = Sonia | last2 = Panchen | year = 2002 | publisher = sFlow.org | accessdate = 2010-10-23

Counter samples

A polling interval defines how often the network device sends interface counters. sFlow counter sampling is more efficient than SNMP polling when monitoring a large number of interfaces.{{cite web | url = http://cdsweb.cern.ch/record/1216160/files/LHCb-CONF-2009-047.pdf | title = Management of the LHCb network based on SCADA system | first1 = G. | last1 = Liu | first2 = N. | last2 = Neufeld |date=December 2009 | publisher = CERN | accessdate = 2010-10-23

sFlow datagrams

The sampled data is sent as a UDP packet to the specified host and port. The official port number for sFlow is port 6343.{{cite web | url = https://www.iana.org/assignments/port-numbers | title = Port Numbers | publisher = IANA | accessdate = 2010-10-23

The UDP payload contains the sFlow datagram. Each datagram provides information about the sFlow version, the originating device’s IP address, a sequence number, the number of samples it contains and one or more flow and/or counter samples.

sFlow versions

::data[format=table] | |Version | |Comment | |v1 | |v2 | |v3 | |v4 | |v5 | |---|---|---|---|---|---|---| | |Initial version | | | | | | | | |(Unknown) | | | | | | | | |Adds support for extended_url information.{{cite IETF | title = InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks | rfc = 3176 | sectionname = sFlow Datagram Format | last1 = Phaal | first1 = Peter | last2 = Panchen | | |Adds support BGP communities. | | | | | | | | |Several protocol enhancements.{{cite web | url = http://sflow.org/sflow_version_5.txt | title = sFlow Version 5 | publisher = sFlow.org | accessdate = 2014-06-20 | | | ::

Related technologies

A well known alternative is NetFlow{{cite journal | last1 = Hofstede | first1 = Rick | last2 = Celeda | first2 = Pavel | last3 = Trammell | first3 = Brian | last4 = Drago | first4 = Idilio | last5 = Sadre | first5 = Ramin | last6 = Sperotto | first6 = Anna | last7 = Pras | first7 = Aiko | title = Flow Monitoring Explained: From Packet Capture to Data Analysis with NetFlow and IPFIX | url =https://iris.polito.it/bitstream/11583/2658703/1/tutorial.pdf | journal = IEEE Communications Surveys & Tutorials | volume = 16 | issue = 4 | pages = 2037–2064 | doi = 10.1109/COMST.2014.2321898 | year = 2014 | s2cid = 14042725 | url = https://blog.sflow.com/2011/11/tcpdump.html | title = Packet capture | publisher = sFlow.org | accessdate = 2019-07-13

NetFlow, IPFIX

  • NetFlow and IPFIX are flow export protocols that aim at aggregating packets into flows. After that, flow records are sent to a collection point for storage and analysis. sFlow, however, has no notion of flows or packet aggregation at all.
  • sFlow allows for exporting packet data chunks and interface counters, which are non-typical features of flow export protocols. Note however that (recent) IPFIX developments provide a means for exporting SNMP MIB variables{{cite web | url = http://tools.ietf.org/html/draft-ietf-ipfix-mib-variable-export | title = Exporting MIB Variables using the IPFIX Protocol | publisher = IETF | accessdate = 2014-06-19 | url = https://www.iana.org/assignments/ipfix/ipfix.xhtml | title = IP Flow Information Export (IPFIX) Entities | publisher = IANA | accessdate = 2014-06-19
  • While flow export can be performed with 1:1 sampling (i.e., considering every packet), this is typically not possible with sFlow, as it was not designed to do so. Sampling forms an integral part of sFlow, aiming to provide scalability for network-wide monitoring.{{cite web | url = http://blog.sflow.com/2009/05/scalability-and-accuracy-of-packet.html | title = Scalability and accuracy of packet sampling | publisher = sFlow.org | accessdate = 2014-06-19

References

References

  1. "InMon: SFlow".

::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::

computer-network-analysis