RE: one sample question

From: Peter Phaal <>
Date: 10/29/09

It's also worth pointing out that sFlow provides a mechanism for the agent
to attach additional information to sampled packet. Typically this will be
information about the forwarding decision (mpls tunnel, BGP destination AS
path, subnets, VLANs etc.), but additional structures are also defined to
allow the sFlow agent to export User ID's and URL's.

These application level fields are typically implemented when the sFlow
device is a participant in the application level protocol. For example, an
edge switch might be responsible for authenticating a user onto the network
(possible using RADIUS). In this case it can attach User ID information to
packet samples to or from a user's port. Similarly, a load balancer might be
aware of the URL associated with a packet stream and be in a position to
attach the URL structure to any sampled packets from the stream.

Each device has its own perspective on the network traffic and will only
contribute some of the extended information. However, sFlow is intended to
monitor all devices and all ports in the network. By combining information
contributed by each device, the central sFlow analyzer is able to build a
complete picture. For example, a core switch might not know the User IDs,
but when sFlow from the core switch is combined with sFlow from the edge
switches, a complete picture emerges.


> -----Original Message-----
> From: [] On Behalf Of
> sujay gupta
> Sent: Thursday, October 29, 2009 8:30 AM
> To: fedora fedora
> Cc:
> Subject: Re: [sFlow] one sample question
> Hi,
> IMO, While your observation is correct, if the sampling rate is one,
> you should get all
> the packets and therefore any content in it.
> If it is not, the sample packet is a representation of the traffic and
> the assumption
> is if you have several samples at least of one of them will carry your
> required data.
> ( you could refer to a nice introduction to packet sampling theory,
> in the page)
> Please also note all the while that sFlow is not same as packet
> sniffing or port mirroring
> where you intent to capture every packet and parse it.
> It is a statistical measurement of the traffic flows happening thru your
> device.
> -Sujay
> On Thu, Oct 29, 2009 at 8:17 PM, fedora fedora <>
> wrote:
> > Hello, pardon me if this is too simple but i cannot find any answer for
> > this.
> >
> > Sflow is sample based, which means for every X number of packet, 1 gets
> > picked and gets sent out to collector immediately, so in this case, how
> can
> > this single packet includes all the fields necessary? for example, for
> http
> > traffic, if the sampled packet does not carry URL, how can I get URL?
> > similar case, for radius traffic, how can i get Username? It is very
> likely
> > the sampled packet does not carry this information at all.
> >
> > Am i wrong? Thanks
Received on Thu Oct 29 08:51:43 2009

This archive was generated by hypermail 2.1.8 : 02/17/10 PST