RE: Newbie: sflow vs netflow

From: Peter Phaal <peter.phaal@inmon.com>
Date: 01/12/05
Message-Id: <200501122235.j0CMZp4U016076@zeus.inmon.com>

>Please bare with me as I am looking to write my own Sflow collector am I
>just trying to get my head straight about what SFlow actually does.

>What does an sflow agent actually export in a sflow datagram for a flow
>sample?

>From what I have read, it would seem that it samples packets running
>through the switch/router and exports the headers. Is this right?

This is correct - it exports the packet headers of the sampled packets. In
addition the device exports forwarding information associated with its
treatment of the packet, including input/output interfaces, VLANs, subnets,
next-hop, BGP as-path etc.

>Does it export statistics on "packet flows" like netflow does or does just
>export a subset of the packets that have been seen by the sflow agent?

The device does not perform aggregation. It is up to the sFlow collector to
aggregate and scale the traffic measurements. Shifting the aggregation
function to the collector has a number of advantages:
1. It reduces the CPU load on the device.
2. It reduces the amount of memory required on the device.
3. It allows the collector to have a real-time view of traffic (aggregation
on the device results in delayed measurements).
4. It allows the collector to implement whatever aggregation schemes it
wants, rather than being limited to aggregation schemes supported by the
device.

>Also, is there a more 'user friendly', version of the datagram format?

If you are developing your own sFlow collector, then the source code for
sflowtool is a good place to start:
http://www.inmon.com/technology/sflowTools.php

As well as providing source code for decoding sFlow, there are also some
basic sFlow analysis scripts that illustrate how to aggregate and scale
sampled data. If you want more information on sampling the white paper:
http://www.sflow.org/packetSamplingBasics/index.htm
will give you the basics.

You might want to look at existing sFlow collectors at:
http://www.sflow.org/products/software.php

Both NTOP and sflowtool are open source, depending on your requirements you
might want to use them as a starting point for your project.

Peter
Received on Wed Jan 12 14:35:58 2005

This archive was generated by hypermail 2.1.8 : 01/12/05 PST