It's also worth pointing out that sFlow provides a mechanism for the agent to attach additional information to sampled packet. Typically this will be information about the forwarding decision (mpls tunnel, BGP destination AS path, subnets, VLANs etc.), but additional structures are also defined to allow the sFlow agent to export User ID's and URL's.
These application level fields are typically implemented when the sFlow device is a participant in the application level protocol. For example, an edge switch might be responsible for authenticating a user onto the network (possible using RADIUS). In this case it can attach User ID information to packet samples to or from a user's port. Similarly, a load balancer might be aware of the URL associated with a packet stream and be in a position to attach the URL structure to any sampled packets from the stream. Each device has its own perspective on the network traffic and will only contribute some of the extended information. However, sFlow is intended to monitor all devices and all ports in the network. By combining information contributed by each device, the central sFlow analyzer is able to build a complete picture. For example, a core switch might not know the User IDs, but when sFlow from the core switch is combined with sFlow from the edge switches, a complete picture emerges. Peter > -----Original Message----- > From: owner-sf...@sflow.org [mailto:owner-sf...@sflow.org] On Behalf Of > sujay gupta > Sent: Thursday, October 29, 2009 8:30 AM > To: fedora fedora > Cc: sflow@sflow.org > Subject: Re: [sFlow] one sample question > > Hi, > > IMO, While your observation is correct, if the sampling rate is one, > you should get all > the packets and therefore any content in it. > If it is not, the sample packet is a representation of the traffic and > the assumption > is if you have several samples at least of one of them will carry your > required data. > ( you could refer to a nice introduction to packet sampling theory, > in the slow.org page) > > Please also note all the while that sFlow is not same as packet > sniffing or port mirroring > where you intent to capture every packet and parse it. > It is a statistical measurement of the traffic flows happening thru your > device. > > -Sujay > > On Thu, Oct 29, 2009 at 8:17 PM, fedora fedora <fedoraf...@gmail.com> > wrote: > > Hello, pardon me if this is too simple but i cannot find any answer for > > this. > > > > Sflow is sample based, which means for every X number of packet, 1 gets > > picked and gets sent out to collector immediately, so in this case, how > can > > this single packet includes all the fields necessary? for example, for > http > > traffic, if the sampled packet does not carry URL, how can I get URL? > > similar case, for radius traffic, how can i get Username? It is very > likely > > the sampled packet does not carry this information at all. > > > > Am i wrong? Thanks
