sFlow parsing...

From: Mandip S Sangha <mandip.sangha@apoapsis.com>
Date: 11/27/06
Message-ID: <00eb01c71252$4cb53230$8103000a@laptop106>

Hi All

We are currently processing sflow data such that we see datagrams containing
flow samples and counter samples. We require a recommended strategy for
assigning total bytes seen in a counter sample to flow samples. For
example, we may have the following scenario:-

Counter Sample, total bytes: 0

Flow Sample, srcIP 193.201.201.223, dstIP 88.96.135.190, srcPort 888,
dstPort 111, packet size 50 bytes

Flow Sample, srcIP 193.201.201.138, dstIP 88.96.135.193, srcPort 999,
dstPort 444, packet size 100 bytes

Counter Sample, total bytes: 15000

Do we just split the total bytes across the number of flows and say there
are two flows where both transfered 7500 bytes each? Or do we actually look
at the packet size and split the total bytes accordingly i.e. there are two
flows where one has transfered 5000 bytes and the other 10000 bytes?

If we take the second approach, how does this extend to seeing the same flow
with different packet size as below:-

Counter Sample, total bytes: 0

Flow Sample, srcIP 193.201.201.138, dstIP 88.96.135.193, srcPort 999,
dstPort 444, packet size 50 bytes

Flow Sample, srcIP 193.201.201.223, dstIP 88.96.135.190, srcPort 888,
dstPort 111, packet size 100 bytes

Flow Sample, srcIP 193.201.201.138, dstIP 88.96.135.193, srcPort 999,
dstPort 444, packet size 1500 bytes

Counter Sample, total bytes: 15000

Any comments or suggestions would be greatly appreciated.

Regards
Mandip
Received on Mon Nov 27 10:32:05 2006

This archive was generated by hypermail 2.1.8 : 11/27/06 PST