SFlow

Last updated

sFlow, short for "sampled flow", is an industry standard for packet export at Layer 2 of the OSI model. sFlow was originally developed by InMon Corp. [1] It provides a means for exporting truncated packets, together with interface counters for the purpose of Network monitoring. Maintenance of the protocol is performed by the sFlow.org consortium, [2] the authoritative source of the sFlow protocol specifications. The current version of sFlow is v5.

Contents

Operation

sFlow uses mandatory sampling to achieve scalability [3] and is, for this reason, applicable to high speed networks (gigabit per second speeds and higher). [4] sFlow is supported by multiple network device manufacturers [5] and network management software vendors. [6]

An sFlow system consists of multiple devices performing two types of sampling: random sampling of packets [7] or application layer operations, [8] and time-based sampling of counters. [7] The sampled packet/operation and counter information, referred to as flow samples and counter samples respectively, are sent as sFlow datagrams to a central server running software that analyzes and reports on network traffic; the sFlow collector. [9]

Flow samples

Based on a defined sampling rate, an average of 1 out of n packets/operations is randomly sampled. This type of sampling does not provide a 100% accurate result, but it does provide a result with quantifiable accuracy. [10]

Counter samples

A polling interval defines how often the network device sends interface counters. sFlow counter sampling is more efficient than SNMP polling when monitoring a large number of interfaces. [11]

sFlow datagrams

The sampled data is sent as a UDP packet to the specified host and port. The official port number for sFlow is port 6343. [12] The lack of reliability in the UDP transport mechanism does not significantly affect the accuracy of the measurements obtained from an sFlow agent. If counter samples are lost then new values will be sent when the next polling interval has passed. The loss of packet flow samples results in a slight reduction of the effective sampling rate.

The UDP payload contains the sFlow datagram. Each datagram provides information about the sFlow version, the originating device’s IP address, a sequence number, the number of samples it contains and one or more flow and/or counter samples.

sFlow versions

VersionComment
v1Initial version
v2(Unknown)
v3Adds support for extended_url information. [13]
v4Adds support BGP communities. [13]
v5Several protocol enhancements. [14] This is the current version, which is globally supported.

A well known alternative is NetFlow [15] (see below). Moreover, depending on the IT resources available it could be possible to perform full packet captures [16] using dedicated network taps (which are then subsequently analysed).


NetFlow, IPFIX

See also

Related Research Articles

The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.

In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages to other hosts on an Internet Protocol (IP) network. Within an IP network, UDP does not require prior communication to set up communication channels or data paths.

A network switch is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device.

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behaviour. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

<span class="mw-page-title-main">Transport layer</span> Layer in the OSI and TCP/IP models providing host-to-host communication services for applications

In computer networking, the transport layer is a conceptual division of methods in the layered architecture of protocols in the network stack in the Internet protocol suite and the OSI model. The protocols of this layer provide end-to-end communication services for applications. It provides services such as connection-oriented communication, reliability, flow control, and multiplexing.

A multilayer switch (MLS) is a computer networking device that switches on OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layers. The MLS was invented by engineers at Digital Equipment Corporation.

<span class="mw-page-title-main">Network interface controller</span> Hardware component that connects a computer to a network

A network interface controller is a computer hardware component that connects a computer to a computer network.

A management information base (MIB) is a database used for managing the entities in a communication network. Most often associated with the Simple Network Management Protocol (SNMP), the term is also used more generically in contexts such as in OSI/ISO Network management model. While intended to refer to the complete collection of management information available on an entity, it is often used to refer to a particular subset, more correctly referred to as MIB-module.

In computer networking, the Datagram Congestion Control Protocol (DCCP) is a message-oriented transport layer protocol. DCCP implements reliable connection setup, teardown, Explicit Congestion Notification (ECN), congestion control, and feature negotiation. The IETF published DCCP as RFC 4340, a proposed standard, in March 2006. RFC 4336 provides an introduction.

<span class="mw-page-title-main">NetFlow</span> Communications protocol

NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup consists of three main components:

A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network.

UDP hole punching is a commonly used technique employed in network address translation (NAT) applications for maintaining User Datagram Protocol (UDP) packet streams that traverse the NAT. NAT traversal techniques are typically required for client-to-client networking applications on the Internet involving hosts connected in private networks, especially in peer-to-peer, Direct Client-to-Client (DCC) and Voice over Internet Protocol (VoIP) deployments.

lwIP is a widely used open-source TCP/IP stack designed for embedded systems. lwIP was originally developed by Adam Dunkels at the Swedish Institute of Computer Science and is now developed and maintained by a worldwide network of developers.

IP SLA is an active computer network measurement technology that was initially developed by Cisco Systems. IP SLA was previously known as Service Assurance Agent (SAA) or Response Time Reporter (RTR). IP SLA is used to track network performance like latency, ping response, and jitter, it also helps us to provide service quality.

In computer networks, network traffic measurement is the process of measuring the amount and type of traffic on a particular network. This is especially important with regard to effective bandwidth management.

A network socket is a software structure within a network node of a computer network that serves as an endpoint for sending and receiving data across the network. The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture. Sockets are created only during the lifetime of a process of an application running in the node.

Internet Protocol Flow Information Export (IPFIX) is an IETF protocol, as well as the name of the IETF working group defining the protocol. It was created based on the need for a common, universal standard of export for Internet Protocol flow information from routers, probes and other devices that are used by mediation systems, accounting/billing systems and network management systems to facilitate services such as measurement, accounting and billing. The IPFIX standard defines how IP flow information is to be formatted and transferred from an exporter to a collector. Previously many data network operators were relying on Cisco Systems' proprietary NetFlow technology for traffic flow information export.

The Remote Network Monitoring (RMON) MIB was developed by the IETF to support monitoring and protocol analysis of LANs. The original version focused on OSI layer 1 and layer 2 information in Ethernet and Token Ring networks. It has been extended by RMON2 which adds support for Network- and Application-layer monitoring and by SMON which adds support for switched networks. It is an industry-standard specification that provides much of the functionality offered by proprietary network analyzers. RMON agents are built into many high-end switches and routers.

Flowmon is a name for monitoring probe which is the result of academic research activity on CESNET and also a name for a commercial product which is marketed by university spin-off company Flowmon Networks.

ngrep Packet analyser

ngrep is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library.

References

  1. "InMon: SFlow".
  2. "sFlow.org - Making the Network Visible". sFlow.org. Retrieved 2016-03-09.
  3. Jedwab, Jonathan; Phaal, Peter; Pinna, Bob (March 1992). "Traffic Estimation for the Largest Sources on a Network, Using Packet Sampling with Limited Storage" (PDF). HP Labs . Retrieved 2016-03-09.
  4. Jasinska, Elisa (December 2006). "sFlow, I can feel your traffic" (PDF). Amsterdam Internet Exchange (AMS-IX) . Retrieved 2016-03-09.
  5. "sFlow Products: Network Equipment". sFlow.org. Retrieved 2016-03-09.
  6. "sFlow Products: sFlow Collectors". sFlow.org. Retrieved 2016-03-09.
  7. 1 2 Phaal, Peter; Lavine, Marc (July 2004). "sFlow Version 5". sFlow.org. Retrieved 2014-06-26.
  8. Phaal, Peter; Jordan, Robert (July 2010). "sFlow Host Structures". sFlow.org. Retrieved 2010-10-23.
  9. "Traffic Monitoring using sFlow" (PDF). sFlow.org. 2003. Retrieved 2010-10-23.
  10. Phaal, Peter; Panchen, Sonia (2002). "Packet Sampling Basics". sFlow.org. Retrieved 2010-10-23.
  11. Liu, G.; Neufeld, N. (December 2009). "Management of the LHCb network based on SCADA system" (PDF). CERN . Retrieved 2010-10-23.
  12. "Port Numbers". IANA . Retrieved 2010-10-23.
  13. 1 2 Phaal, Peter; Panchen, Sonia; McKee, Neil (September 2001). "sFlow Datagram Format". InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks. IETF. doi: 10.17487/RFC3176 . RFC 3176 . Retrieved 2014-06-20.
  14. "sFlow Version 5". sFlow.org. Retrieved 2014-06-20.
  15. 1 2 Hofstede, Rick; Celeda, Pavel; Trammell, Brian; Drago, Idilio; Sadre, Ramin; Sperotto, Anna; Pras, Aiko (2014). "Flow Monitoring Explained: From Packet Capture to Data Analysis with NetFlow and IPFIX" (PDF). IEEE Communications Surveys & Tutorials. 16 (4): 2037–2064. doi:10.1109/COMST.2014.2321898. S2CID   14042725.
  16. "Packet capture". sFlow.org. Retrieved 2019-07-13.
  17. "Exporting MIB Variables using the IPFIX Protocol". IETF . Retrieved 2014-06-19.
  18. "IP Flow Information Export (IPFIX) Entities". IANA . Retrieved 2014-06-19.
  19. "Scalability and accuracy of packet sampling". sFlow.org. Retrieved 2014-06-19.