InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks
RFC 3176

Document Type RFC - Informational (September 2001; No errata)
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 3176 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                           P. Phaal
Request for Comments: 3176                                    S. Panchen
Category: Informational                                         N. McKee
                                                             InMon Corp.
                                                          September 2001

     InMon Corporation's sFlow: A Method for Monitoring Traffic in
                      Switched and Routed Networks

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

   This memo defines InMon Coporation's sFlow system.  sFlow is a
   technology for monitoring traffic in data networks containing
   switches and routers.  In particular, it defines the sampling
   mechanisms implemented in an sFlow Agent for monitoring traffic, the
   sFlow MIB for controlling the sFlow Agent, and the format of sample
   data used by the sFlow Agent when forwarding data to a central data
   collector.

Table of Contents

   1.  Overview .....................................................  2
   2.  Sampling Mechanisms ..........................................  2
       2.1 Sampling of Switched Flows ...............................  3
           2.1.1 Distributed Switching ..............................  4
           2.1.2 Random Number Generation ...........................  4
       2.2 Sampling of Network Interface Statistics .................  4
   3.  sFlow MIB ....................................................  5
       3.1 The SNMP Management Framework ............................  5
       3.2 Definitions ..............................................  6
   4.  sFlow Datagram Format ........................................ 14
   5.  Security Considerations ...................................... 25
       5.1 Control .................................................. 26
       5.2 Transport ................................................ 26
       5.3 Confidentiality .......................................... 26
   6.  References ................................................... 27
   7.  Authors' Addresses ........................................... 29

Phaal, et al.                Informational                      [Page 1]
RFC 3176               InMon Corporation's sFlow          September 2001

   8.  Intellectual Property Statement .............................. 30
   9.  Full Copyright Statement ..................................... 31

1. Overview

   sFlow is a technology for monitoring traffic in data networks
   containing switches and routers.  In particular, it defines the
   sampling mechanisms implemented in an sFlow Agent for monitoring
   traffic, the sFlow MIB for controlling the sFlow Agent, and the
   format of sample data used by the sFlow Agent when forwarding data to
   a central data collector.

   The architecture and sampling techniques used in the sFlow monitoring
   system are designed to provide continuous site-wide (and network-
   wide) traffic monitoring for high speed switched and routed networks.

   The design specifically addresses issues associated with:

   o Accurately monitoring network traffic at Gigabit speeds and higher.

   o Scaling to manage tens of thousands of agents from a single point.

   o Extremely low cost agent implementation.

   The sFlow monitoring system consists of an sFlow Agent (embedded in a
   switch or router or in a stand alone probe) and a central data
   collector, or sFlow Analyzer.

   The sFlow Agent uses sampling technology to capture traffic
   statistics from the device it is monitoring.  sFlow Datagrams are
   used to immediately forward the sampled traffic statistics to an
   sFlow Analyzer for analysis.

   This document describes the sampling mechanisms used by the sFlow
   Agent, the SFLOW MIB used by the sFlow Analyzer to control the sFlow
   Agent, and the sFlow Datagram Format used by the sFlow Agent to send
   traffic data to the sFlow Analyzer.

2. Sampling Mechanisms

   The sFlow Agent uses two forms of sampling: statistical packet-based
   sampling of switched flows, and time-based sampling of network
   interface statistics.

Phaal, et al.                Informational                      [Page 2]
RFC 3176               InMon Corporation's sFlow          September 2001

2.1 Sampling of Switched Flows

   A flow is defined as all the packets that are received on one
   interface, enter the Switching/Routing Module and are sent to another
   interface.  In the case of a one-armed router, the source and
   destination interface could be the same.  In the case of a broadcast
   or multicast packet there may be multiple destination interfaces.
   The sampling mechanism must ensure that any packet involved in a flow
   has an equal chance of being sampled, irrespective of the flow to
Show full document text