Market Brief

What is sFlow

Download Market Brief

sFlow®, a technology designed for network monitoring based on packet sampling, derives from early work performed by Hewlett- Packard at the University of Geneva and CERN in 1991. The sFlow sampling technology captures traffic data in switched or routed networks and is therefore uniquely applicable in high speed networks (at gigabit speeds or higher). sFlow capture and analysis enables continuous monitoring of application level traffic flows at wire speed on all interfaces simultaneously, such that hundreds of thousands of devices can be monitored by a single sFlow collector.

sFlow analysis provides several different lenses by which flow data is analyzed. Some of these perspectives include “host centric” views that focus on all activity involving a single host; “virtual security zones” for internal and external hosts that show traffic flows within and between local groups of hosts; and by individual flow, which identifies each flow as “normal” or “possibly malicious."1

Applications of sFlow include:

  • Detecting, diagnosing, and fixing network problems
  • Defense against security threats (insider misuse and abuse, DDoS, worm-infected hosts and worm propagation)
  • Real-time congestion management
  • Understanding application mix (e.g. P2P, Web, DNS) and changes
  • Usage accounting for billing and charge-back
  • Route profiling and peering optimization
  • Trending and capacity planning

Network Traffic “Telemetry”

The aerospace telemetry analogy best illustrates how sFlow operates. Aerospace telemetry is a highly automated communications process by which measurements are made at remote or inaccessible points and transmitted to receiving equipment for monitoring and post processing. As an example, aerospace telemetry started in the 1930s with the radiosonde, a device that automatically measured temperature, barometric pressure and humidity from a balloon high in space, and transmitted data to Earth using a radio signal. Terrestrial equipment would then process and scrutinize the incoming radio waves to determine the conditions surrounding the weather balloon.

Similarly, sFlow-enabled routers and switches capture measurements of the network traffic at points in the network and transmit this captured data in the form of User Datagram Protocol (UDP) datagrams to an sFlow collector for further processing, analysis and archiving.

Enabling sFlow

Enabling sFlow and directing it to an sFlow collector can be easily accomplished using the following commands. In this case, Foundry sFlow commands are used. Administrators should note that because sFlow capture and export are performed independently on each device, not every router needs to be sFlow-enabled.

How sFlow Collection Works

sFlow-enabled switches and routers (sFlow agents) generate sampled-sFlow records. Sampling is based on a pre-defined rate where 1 out of N packets are captured. The sampled sFlow records are exported in UDP packets in one of three formats (v2, 3, 5). The collector then stores and analyzes these sFlow records. sFlow-supportive routers and switches are available from Foundry Networks, Alcatel-Lucent, Extreme Networks, Force10, Hewlett-Packard, Hitachi and NEC.

sFlow enable
sFlow sample 128
sFlow destination <collector IP address>

 

sFlow Impact on Performance

Because sFlow agents package data into sFlow datagrams, which are immediately transmitted onto the network, there is minimal processing and little to no impact on memory and CPU. Furthermore, enabling sFlow does not add significant traffic load.

Potential Issues Processing sFlow

Due to its sampled nature , sFlow is particularly well-suited for monitoring high speed network environments with minimal impact on the network itself. However, for lower bandwidth networks with much less traffic, the effectiveness of sFlow can decrease. In these environments, traffic analysis using sFlow may miss isolated events; as such, sampling rates should be set as high as feasible.

Given that each sFlow packet contains up to 11 sFlow samples representing 760k bytes of traffic (sample rate of 128 with an average packet length of 540 bytes), the increased network load is very light compared to the monitored traffic. 1

Not all sFlow collectors retain the rich information unique to sFlow; some technologies convert sFlow records into NetFlow or proprietary records, discarding valuable packet level information in the process. In order to maximize the value of your existing sFlow-enabled routers and switches, consider solutions that collect, process and analyze the entire sFlow record.

Virtually all classes of attacks that would be detected by a flow analysis system using native packet capture would also be detected by a a flow-based analysis system modified to operate with sampled sFlow data.1

Examples of sFlow-based technologies

There are three types of sFlow-based technologies:

  • Low cost “classic” sFlow solutions offer traditional network traffic analysis functionality, such as top talkers, traffic trending, ASN Reporting, interface utilization and QoS reporting.
  • Enterprise “classic” sFlow solutions offer the same features listed above along with more advanced reporting, application performance monitoring, scalability, and appliance-based models for easier deployment and maintenance.
  • Enterprise sFlow-based anomaly detection and network performance monitoring solutions, such as StealthWatch™ by Lancope®, provide these same enterprise features and deliver a wide breadth of network security functionality for the enterprise.
  • sFlow expert John Jerrim explores in greater depth the science and usefulness of sampled sFlow in his white paper available at http://www.lancope.com/resource/

By giving visibility into real-time and historical network-wide usage, sFlow can be used to prevent intentional attacks, minimize unintentional mistakes, and protect information assets.2

 

1 John Jerrim, Chief Research Officer, Lancope
2 http://www.sflow.org/using_sflow/index.php