About sFlow
Because businesses rely on network services for mission critical applications, small changes in network usage can impact network performance and reliability. As a result, these changes can also impact a business’ ability to conduct key business functions and increase the cost of maintaining network services.
Figure 1: Overview of sFlow
sFlow provides the visibility into network usage and active routes on the network by providing the data required to effectively control and manage network usage. This ensures that network services provide a competitive edge to the business.
A few examples of sFlow applications include the following:
Detecting, diagnosing, and fixing network problems
Real-time congestion management
Understanding application mixes such as P2P, Web, DNS
Usage accounting for billing
Audit trail analysis to identify unauthorized network activity and trace sources of Denial of Service (DoS) attacks
Route profiling and optimizing peers
Trending and capacity planning
sFlow is an open source sampling tool providing constant traffic flow information on all enabled interfaces simultaneously. sFlow data is sent to a collector that formats the data into charts and graphs while recording and identifying trends on the network. You can use this information for troubleshooting a network, perform diagnostics, and analysis of data.
The sFlow agent on the switch samples packets from data flows and forwards headers of the sample packet to a collector at regular intervals. You can specify the number of packets to sample from the total packets which is called the sample rate. The packets are stored and sent to the collector at an interval that you can configure on the switch. This is called the polling interval. You can sample different types of packets such as frames sent to the CPU or interfaces of the switch, routed packets, flooded packets, and multicast packets. However, the following packet types are not sampled by sFlow:
LACP frames
LLDP frames
STP RPDUs
IGMP packets
Ethernet PAUSE frames
Frames with CRC errors
PIM_HELLO packets
Packets dropped by ACLs
Packets dropped as a result of VLAN violations
Routed packets with IP options or MTU violations
Configuring the sFlow Collector
Before configuring the sFlow agents, you must configure the sFlow collector. The sFlow collector receives sFlow datagrams from the sFlow agents. In this example, the sFlow collector has an IP address of 10.1.1.243, and a default port of 6343. The collector name is net-man-all, and the scope is fabric. If the scope is fabric, then additional switches that join the fabric receive the sFlow collector configuration. If the scope is local, then the sFlow collector is configured only on one switch.
CLI network-admin@switch > sflow-collector-create collector-ip 10.1.1.243 collector-port 6343 name net-man-all scope fabric
You can add as many collectors as needed for your configuration.
Enabling sFlow on the Network
You must configure and enable sFlow on each switch that you want to use for monitoring network traffic. You can only configure one sFlow per switch.
On each switch in the example diagram, use the following command to enable sFlow, net-monitor, on ingress ports 57-59, sample type raw, sample-rate 4096, sample interval 5 seconds, trunc-length 160 bytes, on VLAN 200:
CLI network-admin@switch > sflow-create name net-monitor sample-type raw ports 57-59 sample-rate 4096 trunc-length 160 vlan 200
Adding Additional Ports to sFlow
To add the ports, 61-62, to the sFlow configuration, you must use the following command on each switch:
CLI network-admin@switch > sflow-port-add sflow-name net-monitor switch 10.1.1.23 ports 61-62
In this example, the IP address of the switch is used as the name of the switch.
Removing Ports from the sFlow Configuration
You can remove ports from the sFlow configuration by using the sflow-port-remove command:
CLI network-admin@switch > sflow-port-remove sflow-name net-monitor switch 10.1.1.23 ports 61-62
Counter Sampling
For counter sampling, also called polling, the sFlow agent periodically polls the hardware interface statistics registers, counters, in the switch chip for per port statistics, and stores them in RAM until it is time to send the next message to the sFlow collector. Overall port statistics such as the number of broadcasts, errors, are collected by the sFlow agent.
The agent then includes the statistics in the sFlow datagrams sent to the sFlow collector along with the packet sampling information. From these statistics, the sFlow obtains information about the actual utilization of each port. For instance, information about broadcast to multicast to unicast rations is captured.
When you configure the agent for counter sampling, it sends an sFlow datagram at intervals of a second, at most. The datagram contains a snapshot of the counters cached in RAM from the most recent polling of interface counters.
Packet Sampling
Packet sampling is used to characterize network traffic. If the sFlow agent is configured for packet sampling, the agent takes copies of random samples of packets forwarded within the switch CPU and sends them to the switch for processing. The CPU sends a configured portion of the sampled packet, containing a number of protocol headers and possibly some of the payload data to the sFlow collector. Random sampling prevents the synchronization of periodic traffic patterns. On the average, 1 in every N packets is captured and analyzed. The sampling can apply to ingress and egress frames independently. The rate that the agent sends datagrams depends on the sampling rate, the traffic rate, and the configured maximum datagram size. Typically, several samples are included in the datagram.
Agent to Collector Datagrams
After gathering packet and counter samples, each sFlow agent creates a packet of the data and sends it to an sFlow collector in UDP datagrams. The datagrams contain the IP address of the sFlow collector and the standard UDP destination port number of 6343. Using a standardized port helps avoid configuration between sFlow agents and collectors. If the sFlow agent is configured for counter sampling or packet sampling, or both, an sFlow datagram can contain either interface counters, packet samples, or a mixture of both.
The following table provides information about the contents of sFlow datagrams:
 
Packet Header
Information
Version
The sFlow version used on the network.
IP Address Type
An IPv4 or IPv6 address
Source IP Address
The IP address of the sFlow agent
Sequence Number
The sequence number of the datagram
System Uptime
The length of time that the system is operational.
Sample Count
The number of samples in the datagram
Ingress Interfaces
The ifindex of the switch port where the packets entered the agent.
Egress Interfaces
The ifindex of the switch port where the packets exited the agent.
Sample dataset
sFlow-specific parameters:
Sequence Numbers
Sampling Rate
Total Packets available for sampling
Number of sampled packets dropped because there was no processing resource for them.
Packet Samples
Packet sample information and may contain several samples.
Packet data
The sampled data that may include the packet payload data and the number on length of protocol headers. This information depends on the size of the size, up to 200 bytes.
Counter Sample
Counter statistical information - fitted in where space permits.
If index
The ifindex of the interface related to the counters.
Physical Interface Parameters
Speed
Duplex mode
Admin status
Operational status of the interface
In Counters
ifInOctets
ifInUnicastPkts
ifInMultiPkts
ifInBroadcastPkts
ifInDiscards
ifInErrors
ifInUnknownProbs
Out Counters
ifOutOctets
ifOutUcastPkts
ifOutDiscards
ifOutErrors
Promiscuous Mode
The private VLAN promiscuous mode of the interface
Ethernet Statistics
Alignment Errors
FCS Errors
SQE Errors
Deferred Transmission
Internal MAC errors
Carrier sense errors
Overlength frame errors
Symbol errors
Analyzing Live Traffic Using Wireshark
Wireshark is a well known network protocol analyzer and one of many applications used for network protocol analysis. Wireshark can interactively browse packet data from a live network or from a previously save pcap file.
* 
Informational Note:You can download Wireshark from http://www.wireshark.org
To use Wireshark to decode a previously saved packet flow capture file, export the file from the switch and analyze it with Wireshark.
* 
Informational Note: 
The path to a switch pcap file has the format: /net/<ServerSw_Name>//global/flow/<Flow_Name>/<Switch_Name>/pcap