On Thu Oct 26, 2006 at 11:40:20 +0200, Jaime Nebrera wrote: > Hi Oliver, > >> Ok, so have I completely misunderstood the purpose of sFlow? Currently >> we >> are using pmacctd to record every single byte and packet that crosses >> our >> network via mirror ports on the switches. Does sFlow only generate a >> "summary" of the traffic? For our purposes it will need to report >> every byte >> and packet, just as our pmacctd setup currently does. >> >> Maybe I am just not understanding the purpose of sFlow... > > I'm not a sFlow expert and surelly Paolo will be able to help you more on > this BUT in general neither NetFlow nor sFlow are valid for this. Both of > them are more "flow" based than "packet" based and in general they will only > report on header information, not complete payload (actually trying to get > all payload information will surelly kill the performance of the link itself). > > After that you have the option of using sampling or not, and different kinds > of them. NetFlow allows to work without sampling, and this is valid in low > speed links or high end hardware, but i think sFlow itself is always sampled. > At the same time the sampling can be just dumb (1 out of tenth) or > intelligent (they consider size) but in both cases they loose precision. > > And last, you have to consider were to store all this info. If the probe > doesnt sample, will you in the server? etc etc
I've done a bit more looking around and found the following interesting bits of information. From http://www.sflow.org/about/index.php : "Usage accounting for billing and charge-back" which seems to suggest 100% accurate representation of bandwidth consumption, if used for billing. But then in http://www.sflow.org/sflow_version_5.txt : "Packet Flow Sampling: Packet Flow Sampling refers to the random selection of a fraction of the Packet Flows observed at a Data Source." which suggests exactly what you are saying - it only samples a fraction of the actual traffic. But then later in the same page: "Sampling Rate: The Sampling Rate specifies the ratio of packets observed at the Data Source to the samples generated. For example a sampling rate of 100 specifies that, on average, 1 sample will be generated for every 100 packets observed." So it seems indeed if you set the sampling rate to be 1, it would sample every single packet. To be honest I can't understand why sampling a fraction of the packets would be useful at all, apart from gleaning a rough understanding of the relationship between the flows. However this fractional sampling leads to data loss and as I mentioned in my first post, the backchannel with a very small fraction of the total traffic was not reported at all. Examining the header of each packet will allow the total data throughput to be determined without using the payload at all, and at reasonably low cost... surely sFlow can do this? Hopefully someone on list has set something similar up and can point me in the right direction. -- Regards, Oliver Hookins Anchor Systems _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
