From Wikipedia, the free encyclopedia
Jump to: navigation, search

sFlow is a technology for monitoring network,[1] wireless[2] and host[3] devices. The sFlow.org consortium[4] is the authoritative source for the sFlow protocol specifications.[5] sFlow version 5 is the current version of sFlow. Previous versions of sFlow, including RFC 3176, have been deprecated.[6]


sFlow uses sampling to achieve scalability[7] and is, for this reason, applicable to high speed networks (gigabit per second speeds and higher).[8] sFlow is supported by multiple network device manufacturers[9] and network management software vendors.[10]

An sFlow system consists of multiple devices performing two types of sampling: random sampling of packets[1] or application layer operations,[3] and time-based sampling of counters.[1] The sampled packet/operation and counter information, referred to as flow samples and counter samples respectively, are sent as sFlow datagrams to a central server running software that analyzes and reports on network traffic; the sFlow collector.[11]

Flow samples[edit]

Based on a defined sampling rate, an average of 1 out of n packets/operations is randomly sampled. This type of sampling does not provide a 100% accurate result, but it does provide a result with quantifiable accuracy.[12]

Counter samples[edit]

A polling interval defines how often the network device sends interface counters. sFlow counter sampling is more efficient than SNMP polling when monitoring a large number of interfaces.[13]

sFlow datagrams[edit]

The sampled data is sent as a UDP packet to the specified host and port. The official port number for sFlow is port 6343.[14] The lack of reliability in the UDP transport mechanism does not significantly affect the accuracy of the measurements obtained from an sFlow agent. If counter samples are lost then new values will be sent when the next polling interval has passed. The loss of packet flow samples results in a slight reduction of the effective sampling rate.

The UDP payload contains the sFlow datagram. Each datagram provides information about the sFlow version, the originating device’s IP address, a sequence number, the number of samples it contains and one or more flow and/or counter samples.

See also[edit]


  1. ^ a b c Phaal, Peter; Lavine, Marc (July 2004). "sFlow Version 5". sFlow.org. Retrieved 2010-10-23. 
  2. ^ Phaal, Peter; Wendt, Jim (April 2007). "sFlow 802.11 Structures". sFlow.org. Retrieved 2010-10-27. 
  3. ^ a b Phaal, Peter; Jordan, Robert (July 2010). "sFlow Host Structures". sFlow.org. Retrieved 2010-10-23. 
  4. ^ "sFlow.org - Making the Network Visible". sFlow.org. Retrieved 2010-10-23. 
  5. ^ "About sFlow.org". sFlow.org. Retrieved 2010-10-23. 
  6. ^ "Specifications for Developers". sFlow.org. Retrieved 2010-10-23. 
  7. ^ Jedwab, Jonathan; Phaal, Peter; Pinna, Bob (March 1992). "Traffic Estimation for the Largest Sources on a Network, Using Packet Sampling with Limited Storage". HP Labs. Retrieved 2010-10-23. 
  8. ^ Jasinska, Elisa (December 2006). "sFlow, I can feel your traffic". Amsterdam Internet Exchange (AMS-IX). Retrieved 2010-10-23. 
  9. ^ "sFlow Products: Network Equipment". sFlow.org. 
  10. ^ "sFlow Products: sFlow Collectors". sFlow.org. Retrieved 2010-10-23. 
  11. ^ "Traffic Monitoring using sFlow". sFlow.org. 2003. Retrieved 2010-10-23. 
  12. ^ Phaal, Peter; Panchen, Sonia (2002). "Packet Sampling Basics". sFlow.org. Retrieved 2010-10-23. 
  13. ^ Liu, G.; Neufeld, N. (December 2009). "Management of the LHCb network based on SCADA system". CERN. Retrieved 2010-10-23. 
  14. ^ "Port Numbers". IANA. Retrieved 2010-10-23. 

External links[edit]