The sFlow frame_length field isn't intended to be vague. If you are seeing
non-conforming sFlow implementations, please raise the issue with the
vendor so they can fix the issue.
Verifying that the frame_length and stripped fields are correctly
implemented is one of the tests performed by the sFlo
-cisco8k/m-sflow-commands.html
I couldn't find a similar option in the NetFlow/IPFIX configuration guide,
but I might have missed it.
On Thu, Mar 28, 2024 at 10:48 AM Saku Ytti wrote:
> Hey,
>
> On Thu, 28 Mar 2024 at 17:49, Peter Phaal wrote:
>
> > sFlow was mentioned
eam enrichment does add a level of operational
complexity.
On Wed, Mar 27, 2024 at 11:03 PM Saku Ytti wrote:
> On Wed, 27 Mar 2024 at 21:02, Peter Phaal wrote:
>
> > Brian, you may want to see if your routers support sFlow (vendors have
> added the feature over the last few years).
Brian, you may want to see if your routers support sFlow (vendors have
added the feature over the last few years).
In particular, see if it includes support for the sFlow extended_gateway
structure:
/* Extended Gateway Data */
/* opaque = flow_data; enterprise = 0; format = 1003 */
struct extend
Export of destination AS-Path is supported in the sFlow extended_gateway
structure.
/* Extended Gateway Data */
/* opaque = flow_data; enterprise = 0; format = 1003 */
struct extended_gateway {
next_hop nexthop; /* Address of the border router that should
https://github.com/sflow-rt/active-routes
Inspired by SIR, but uses Bird multi-table capability to separate RIB/FIB
routes.
On Tue, Jan 3, 2023 at 7:47 AM Mike Hammett wrote:
> https://github.com/dbarrosop/sir
>
> I came across this over the weekend. Given that the project was abandoned
> six y
Sounds like an interesting project. You might want to take a look at
sflowtool to get started. The following article shows how to use sflowtool
to decode sFlow datagrams and includes a simple Python script matching IP
addresses against a known threat database.
https://blog.sflow.com/2018/12/sflow-
Juniper added sFlow support to MX routers in Junos 18.1R1,
https://blog.sflow.com/2018/04/sflow-available-on-juniper-mx-series.html
You might want to consider deploying sFlow instead of IPFIX, particularly
if you are interested in DDoS mitigation where low latency and visibility
into packet header
You could use Prometheus / Grafana to build the dashboards.
The following example is a starting point (top ASNs / Countries by traffic
volume):
https://grafana.com/grafana/dashboards/11146
The example could be modified to make the make router / interface
selectable, or cloned to create separate p
On Tue, Apr 16, 2019 at 8:35 PM Deepak Jain wrote:
> Now I know I'm pushing my luck... but do certain vendors more fully
> embrace sFlow than others? maybe one of the whitebox vendors if not one
> of the majors?
>
> Hacking support into something isn't the worse thing in the world, but
> if there
Tony,
You might find the following article useful in identifying features to
consider when evaluating sFlow analyzers:
https://blog.sflow.com/2009/05/choosing-sflow-analyzer.html
The following white paper discusses accuracy of packet sampling for usage
accounting:
https://inmon.com/pdf/sFlowBilli
Hi All,
I thought there might be interest in availability of sFlow in Junos OS
Release 18.1R1 for MX routers:
https://blog.sflow.com/2018/04/sflow-available-on-juniper-mx-series.html
Peter
On Sat, Jan 20, 2018 at 11:26 AM, Colton Conor
wrote:
>
> Thanks for the information. Do you have a recommendation of which
> distribution of Linux to use for this? Is there one that is more network
> centric than another?
>
Cumulus Linux, OpenSwitch, and Open Network Linux are all Debian based s
On Sat, Jan 20, 2018 at 9:32 AM, Colton Conor
wrote:
>
> My understanding if Free Range Routing is a package of software that runs
> in linux, but not a full and true NOS right?
>
Why not consider Linux a NOS? Installing Free Range Routing adds control
plane protocols: BGP, OSPF, ISIS, etc.
> I
On Wed, Nov 29, 2017 at 9:06 AM, William Herrin wrote:
> On Tue, Nov 28, 2017 at 3:48 PM, Yifeng Zhou
> wrote:
>
> > Is there any way that we can track TCP session hop by hop?
> >
> > Say we have 10 ECMP between A and Z point, what's the easiest way to
> track
> > specific session is using which
Patrick,
You might want to try pmacct:
http://www.pmacct.net/
Peter
On Sat, Jan 28, 2017 at 8:17 AM, Patrick Velder wrote:
> Hi there
>
> I'm currently switching from MikroTik CCR 1009 to SuperMicro 5018D-FN8T as
> small router. Now I'd love to integrate BGP infos into netflow/sflow, as
> Mikr
On Thu, Jun 16, 2016 at 1:19 AM, Saku Ytti wrote:
> On 16 June 2016 at 06:21, Eric Kuhnke wrote:
>> Based on their investors, could have interesting results for much lower
>> cost 100GbE whitebox switches.
>
> Why lower cost? The BOM isn't the expensive part, the code is the
> expensive part. Onl
Many drawing tools support SVG as a file export format. Exporting or
converting the map to SVG format allows the map attributes (link
colors, widths, etc) to be modulated using JavaScript embedded in the
web page.
As an example, the following SC15 weathermap was created by converting
a PDF diagram
On Wed, Mar 16, 2016 at 11:45 AM, Eric Kuhnke wrote:
> Would anyone care to share their experience using collectd as an
> alternative to rtg for high-resolution polling of interface traffic and
> long term storage?
>
> I am investigating the various options for large data set size, lossless
> long
On Thu, Mar 3, 2016 at 9:16 AM, Nick Hilliard wrote:
> The beauty of sflow is that you can do anything in the collector, but
> most people aren't going to do this because it means maintaining two
> sets of data about your flow configuration: one set on the switch and
> one set in your collector co
em vendor.
On Thu, Mar 3, 2016 at 3:53 AM, Nick Hilliard wrote:
> Peter Phaal wrote:
>> I think "pathologically broken" somewhat overstates the case.
>> Bidirectional sampling is allowed by the sFlow spec and other vendors
>> have made that choice. Another vendor used
On Wed, Mar 2, 2016 at 2:45 PM, Nick Hilliard wrote:
> Peter Phaal wrote:
>> Monitoring ingress and egress in the switch is wasteful of resources.
>
> It's more than a waste of resources: it's pathologically broken and
> Cisco decline to fix it, despite the fact t
On Wed, Mar 2, 2016 at 9:30 AM, Nick Hilliard wrote:
> Peter Phaal wrote:
>> The Nexus 3200 should work well with 100G flows - I believe it's
>> based on the latest Broadcom Tomahawk ASIC. The older Trident II
>> ASICs in the Nexus 9k are 40g parts
>
> does nx-o
>
> On Mar 1, 2016, at 10:12 PM, Mark Tinka wrote:
>
>
>
>> On 2/Mar/16 08:04, Mark Tinka wrote:
>>
>> We were initially looking at at the Nexus 9000, but then moved to the
>> 7700 because the Broadcom chip on the 7700 cannot do single flows larger
>> than 40Gbps on the 100Gbps ports.
>
> Th
On Tue, Mar 1, 2016 at 6:13 AM, Mark Tinka wrote:
>
>
> On 29/Feb/16 12:15, Nikolay Shopik wrote:
>
>> Cisco Nexus switches support sflow, since they are broadcom based.
>
> Not all of them, just the Nexus 9000, IIRC.
>
The situation in the Cisco Nexus line is confusing. In addition, to
the Nexus
InfluxDB + Grafana are a modern alternative from the DevOps space:
http://lkhill.com/using-influxdb-grafana-to-display-network-statistics/
On Fri, Feb 26, 2016 at 3:18 PM, Baldur Norddahl
wrote:
> Hi
>
> I am currently using MRTG and RRD to make traffic graphs. I am searching
> for more modern a
the external server. Embedded instrumentation is simple
to deploy and reduces operational complexity and cost when compared to
add on probe solutions.
Peter Phaal
InMon Corp.
You might want to take a look at the Host sFlow SourceForge project:
http://host-sflow.sourceforge.net/
The hsflowd agent used the sFlow protocol to export interface
counters, host performance statistics and packet flows (collected
using iptables ULOG).
Peter
On Thu, Nov 13, 2014 at 9:09 AM, Eli
What is the business model for the IX? Unauthorized filtering of
incoming traffic risks collateral damage and outing exchange members
seems problematic.
The business model seems clearer when offering filtering as a service
to downstream networks, the effects are narrowly scoped, and members
have c
Brocade demonstrated how peering exchanges can selectively filter
large NTP reflection flows using the sFlow monitoring and hybrid port
OpenFlow capabilities of their MLXe switches at last week's Network
Field Day event.
http://blog.sflow.com/2014/02/nfd7-real-time-sdn-and-nfv-analytics_1986.html
On Mon, Feb 3, 2014 at 2:58 PM, Christopher Morrow
wrote:
> wait, so the whole of the thread is about stopping participants in the
> attack, and you're suggesting that removing/changing end-system
> switch/routing gear and doing something more complex than:
> deny udp any 123 any
> deny udp an
On Mon, Feb 3, 2014 at 12:38 PM, Christopher Morrow
wrote:
> On Mon, Feb 3, 2014 at 2:42 PM, Peter Phaal wrote:
>> On Mon, Feb 3, 2014 at 10:16 AM, Christopher Morrow
>> wrote:
>>> On Mon, Feb 3, 2014 at 12:42 PM, Peter Phaal wrote:
>
>>> There's ce
On Mon, Feb 3, 2014 at 10:16 AM, Christopher Morrow
wrote:
> On Mon, Feb 3, 2014 at 12:42 PM, Peter Phaal wrote:
>> Why burn the village when only one house is the problem? I thought
>> there might be some interest in hearing about work being done to use
>> SDN to au
Why burn the village when only one house is the problem? I thought
there might be some interest in hearing about work being done to use
SDN to automatically configure filtering in existing switches and
routers to mitigate flood attacks.
Real-time analytics based on measurements from switches/route
Dan,
If you are using sFlow for your measurements, then you might want to take a
look sFlow-RT for DDoS mitigation. The following case study describes how
sFlow and null routing are being used to mitigate flood attacks:
http://blog.sflow.com/2013/03/ddos.html
The analytics engine will detect flo
You might want to take a look at pmacct, http://www.pmacct.net/. It
includes an embedded version of Quagga, allowing BGP AS Path data to be
efficiently joined with flow records.
Peter
On Tue, May 14, 2013 at 3:59 PM, Erik Sundberg wrote:
> Does anyone know of a netflow collector that will do th
On Mon, Feb 25, 2013 at 2:10 AM, Saku Ytti wrote:
> On (2013-02-25 13:53 +0530), Glen Kent wrote:
>
>> I understand that this is just some bit of what we can do with SDN. The
>> amount of what all can be done is limitless. So, a question to all out
>> there - Is my understanding of what can be ach
I wanted to bring attention to the following draft proposal from
Mellanox to export traffic information from InfiniBand switches:
http://sflow.org/draft_sflow_infiniband.txt
If you are an InfiniBand user, this is a great opportunity to think
about the types of metrics that you woud want from your
On Tue, Feb 19, 2013 at 8:21 PM, Bao Nguyen wrote:
> Anyone have worked with the switching vendor Quanta for their 10ge switching
> as
> TOR? [1] Their spec looked interesting and they are quiet cheap.
>
>
> [1]
> http://www.quantaqct.com/en/01_product/02_detail.php?mid=30&sid=114&id=116&qs=63
>
Peter,
Network visibility wasn't mentioned as a requirement, but it is worth
considering since the ToR switches are the best place monitor server
network I/O, tunneled traffic (VxLAN, GRE etc), storage (iSCSI, FCoE,
HDFS etc).
The Nexus 5548 switch does not include monitoring (i.e. no
NetFlow/sFl
Do the layer 2 switches include sFlow instrumentation?
http://sflow.org/products/network.php
The following paper describes how IP TTL values can help identify
unauthorized NAT devices.
http://www.sflow.org/detectNAT/
Peter
On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers wrote:
> Gentlemen,
>
On Mon, Sep 24, 2012 at 11:19 AM, Joe Loiacono wrote:
> OK, Well I guess I was thinking sFlow was primarily a switch oriented
> technology versus on a layer-3 peering router.
The sFlow technology is a good fit for any device that performs a
packet forwarding function (including routers) and the s
On Mon, Sep 24, 2012 at 5:48 AM, Joe Loiacono wrote:
> Peter Phaal wrote on 09/23/2012 12:23:57 PM:
>
>
>> Exporting packet oriented measurements doesn't mean that you have to
>> loose ingress/egress interface data. In the specific example being
>> discussed (sF
On Sun, Sep 23, 2012 at 8:16 AM, Dobbins, Roland wrote:
>
> On Sep 23, 2012, at 7:55 PM, Danny McPherson wrote:
>
>> If the *flow generation process is not performed on the router (or otherwise
>> conveyed by some metadata outside of "raw [sampled] packet headers") then
>> you lose visibility to i
On Sat, Sep 22, 2012 at 4:41 PM, Dobbins, Roland wrote:
> You have misinterpreted what I said. I was saying that flow telemetry of any
> variety must be exported from edge devices, which in most cases are routers
> (in some cases layer-3 switches), in response to your 'move it out of the
> route
On Fri, Sep 21, 2012 at 10:02 PM, Dobbins, Roland wrote:
>
> On Sep 22, 2012, at 12:40 AM, Peter Phaal wrote:
>
>> However, moving the flow generation out of the router gives a lot of
>> flexibility.
>
> Actually, moving it out of the router creates huge problems a
On Thu, Sep 20, 2012 at 11:21 AM, Mikael Abrahamsson wrote:
> Most of the platforms I know of do sampled netflow at 1:100-1:1000 or so,
> and then I don't really see the fundamental difference in doing the flow
> analysis on the router itself (classic netflow) or doing the same but at the
> sFlow
On Sat, Jul 14, 2012 at 1:30 AM, Łukasz Bromirski wrote:
> sFlow is really sPacket, as it doesn't deal with flows.
>
> NetFlow, jFlow, IPFIX deal with flows.
I am a puzzled by the orthodoxy that seems to prevail around the value
"flows" as a measure of network traffic in packet switched networks.
In the case of sFlow, the collector determines how to report bytes.
The sFlow agent reports the size of the sampled layer 2 frame (along
with the first 128 bytes of the frame) and the collector can choose
whether to report L2 bytes, L3 bytes, L4 bytes etc. by subtracting the
sizes of the headers. I
Hi David,
The main architectural difference between sFlow and Netflow is the
location of the flow cache:
1. NetFlow: Packets are decoded on the router, flow keys are extracted
and used to lookup/create an entry in a flow cache which is then
updated based on values in the packet. Records are expor
On Thu, Feb 23, 2012 at 1:59 PM, Justin M. Streiner
wrote:
> On Thu, 23 Feb 2012, Maverick wrote:
>
>> I want to be able to see information like how much traffic an ip send
>> over a period of time, what machines it talked to etc from this
>> perspective it should be IP based but I would really li
sFlowTrend is free for up to five routers and should meet your requirement to
quickly see top flows:
http://inmon.com/products/sFlowTrend.php
sFlowTrend is InMon's entry level product, if you need more features you might
want to try sFlowTrend-Pro or Traffic Sentinel.
When selecting an sFlow a
The latest version of Host sFlow adds support for ULOG traffic
monitoring (with ingress/egress ifIndex numbers):
http://host-sflow.sourceforge.net/
Cheers,
Peter
> My only issue is that I can't seem to find any good software for Linux that
> works with multiple interfaces to generate the flow in
53 matches
Mail list logo
