Re: sFlow parsing troubles...

From: Elisa Jasinska <>
Date: 11/24/06
Message-Id: <>

Hi Mandip,

On Nov 24, 2006, at 11:13 AM, Mandip S Sangha wrote:
> I can see the first 6 bytes are the dstMAC (00-14-6C-60-CB-B2), the
> next 6
> bytes are the srcMAC (00-09-6B-8C-43-A8) and the next 2 bytes are
> the Ether
> type (08-00).

Exactly, good start.

> However, the following bytes fall into the data/payload part
> of the frame, so we need to know the exact format for how the
> information is
> stored in the data/payload. I have been able to figure out most of the
> format by stepping through the source for the 'sflowtool' but I'm
> after
> document that specifies all this.

Like I mentioned in my previous mail, the raw header data is not
specified in the sflow format but in the general network protocol
encapsulations. The payload of an ethernet frame contains the header
of the next higher layer protocol.

Here are a few links which might help:


> ----- Original Message -----
> From: "Elisa Jasinska" <>
> To: "Mandip S Sangha" <>
> Cc: <>
> Sent: Thursday, November 23, 2006 10:55 PM
> Subject: Re: [sFlow] sFlow parsing troubles...
>> Hi,
>> On Nov 23, 2006, at 8:37 PM, Mandip S Sangha wrote:
>>> Is there documentation to tell us at what byte within the
>>> headerBytes to find
>>> srcIP, dstIP IPProtocol, IPTOS, TCPSrcPort, TCPDstPort?
>> That is, like the name says, a raw packet header, so you have to look
>> into how the headers of an ethernet frame look like (IP, TCP, etc.).
>>> Also where in this data is the actual bytes transfered by each of
>>> the flows?
>> 'Flow' is a bit incorrect in case of sFlow, because it's actually not
>> showing you flows (like NetFlow does) but packet samples. You can
>> find out the packet size by looking into the length field of the IP
>> header.
>> Cheers
>> --
>> Elisa Jasinska - AMS-IX NOC

Elisa Jasinska - AMS-IX NOC
Received on Fri Nov 24 03:03:03 2006

This archive was generated by hypermail 2.1.8 : 11/24/06 PST