Re: sFlow parsing troubles...

From: Mandip S Sangha <>
Date: 11/24/06
Message-ID: <002901c70fb1$28108db0$8103000a@laptop106>

Hi Elisa

Yes I have looked into the Ethernet Frame Format so for the example below:-

dstMAC 00146c60cbb2
srcMAC 00096b8c43a8
IPSize 52
ip.tot_len 52
IPProtocol 6
TCPSrcPort 64620
TCPDstPort 993
TCPFlags 16

I can see the first 6 bytes are the dstMAC (00-14-6C-60-CB-B2), the next 6
bytes are the srcMAC (00-09-6B-8C-43-A8) and the next 2 bytes are the Ether
type (08-00). However, the following bytes fall into the data/payload part
of the frame, so we need to know the exact format for how the information is
stored in the data/payload. I have been able to figure out most of the
format by stepping through the source for the 'sflowtool' but I'm after
document that specifies all this.


----- Original Message -----
From: "Elisa Jasinska" <>
To: "Mandip S Sangha" <>
Cc: <>
Sent: Thursday, November 23, 2006 10:55 PM
Subject: Re: [sFlow] sFlow parsing troubles...

> Hi,
> On Nov 23, 2006, at 8:37 PM, Mandip S Sangha wrote:
> > Is there documentation to tell us at what byte within the
> > headerBytes to find
> > srcIP, dstIP IPProtocol, IPTOS, TCPSrcPort, TCPDstPort?
> That is, like the name says, a raw packet header, so you have to look
> into how the headers of an ethernet frame look like (IP, TCP, etc.).
> >
> > Also where in this data is the actual bytes transfered by each of
> > the flows?
> 'Flow' is a bit incorrect in case of sFlow, because it's actually not
> showing you flows (like NetFlow does) but packet samples. You can
> find out the packet size by looking into the length field of the IP
> header.
> Cheers
> --
> Elisa Jasinska - AMS-IX NOC
Received on Fri Nov 24 02:13:18 2006

This archive was generated by hypermail 2.1.8 : 11/24/06 PST