RE: sFlow sample - multiple flow data formats

From: Peter Phaal <peter.phaal@inmon.com>
Date: 06/29/06
Message-ID: <040f01c69b95$46a4b6b0$3500000a@PHAALPC>

Elisa,

The relevant description from the specification is:
/* Flow Data Types

   A flow_sample must contain packet header information. The
   prefered format for reporting packet header information is
   the sampled_header. However, if the packet header is not
   available to the sampling process then one or more of
   sampled_ethernet, sampled_ipv4, sampled_ipv6 may be used. */

Note: A flow sample always describes a single packet (see the definitions of
Packet Flow and Packet Flow Sampling from section 2.1 of the sFlow5
specification).

A sflow_sample will typically consist of a sampled_header structure. The
sampled_ethernet, sampled_ipv4, and sampled_ipv6 structures are only
permitted if the device is incapable of accessing the packet header when it
takes a sample.

The specification is a little vague about the meaning of multiple
sampled_ethernet, sampled_ipv4 and sampled_ipv6 records in a flow_sample.
It's hard to see how a device would be able to populate many of these
records if it didn't have access to the packet header (in which case it
would be required to send a sampled_header instead). In any event the only
situation where you could see repetition of records would be if the flow
sample represented a tunneled packet (i.e. ipv6 over ipv4, ipv4 over ipv4 or
ipv4 over ipv6). In this situation it could make sense to encode multiple
records in network stack order (information from the start of the packet
header first).

As a practical matter, I don't believe any current sFlow implementations use
anything other than a single sampled_header record per flow_sample.

Of course there are typically a number of Extended Flow Data records
included in the flow_sample as well.

The source code for sflowtool is available, and provides a good starting
point for implementing your own collector:
http://www.inmon.com/technology/sflowTools.php

Peter

-----Original Message-----
From: owner-sflow@sflow.org [mailto:owner-sflow@sflow.org] On Behalf Of
Elisa Jasinska
Sent: Thursday, June 29, 2006 3:14 AM
To: sflow@sflow.org
Subject: [sFlow] sFlow sample - multiple flow data formats

Hi,

I'm currently developing an sFlow collector and I have a question about
the flow data structure.

There can be multiple flow data entries in one sample but I assume
always only one of each format? Is that defined somewhere? (for v.5)

And the same with the extended data in v.<4? There shouldn't be the same
extended data format more then once, or?

Regards 

-- 
Elisa Jasinska
http://www.ams-ix.net
Received on Thu Jun 29 09:06:09 2006

This archive was generated by hypermail 2.1.8 : 06/29/06 PDT