Re: Pakcet sampling after filtering

From: Peter Phaal <>
Date: 04/03/10
Message-Id: <>

The filtering function referred to here is the basic functionality of a non-promiscuous interface. For a host or a router, only unicast traffic to the network adapter MAC address, registered multicasts, or broadcasts frames pass through the filter to the routing module.

For a bridge, a determination is made based on destination MAC address as to whether the the frame should be forwarded. This decision is made in hardware as the switch learns to associate local MAC addresses with each of its interfaces.

Most sFlow implementations perform ingress sampling, so frames that pass through this initial filtering step are sampled. If frames are discarded later by higher level functions, or because of buffer exhaustion, or egress filtering, then the sFlow agent may note the discard reason in the egress interface structure (see page 28 of the sFlow version 5 specification, ). However, this information is typically not available at the point of sampling and not reported.

Egress sampling occurs after all filtering has taken place since the frame is being sampled at the point it is transmitted. It is still possible that the sampled packet might be lost in transmission, but this is usually not detectible and wouldn't be reported.

On Apr 2, 2010, at 2:00 PM, the keralite wrote:

> Wanted to find out what the term "filtering" encompasses in the description
> of packet sampling in the sFlow spec.
> The sFlow spec says
> "Packet Flow Sampling is accomplished as follows: When a packet
> arrives on an interface, the Network Device makes a filtering
> decision to determines whether the packet should be dropped. If the
> packet is not filtered a destination interface is assigned by the
> switching/routing function. At this point a decision is made on
> whether or not to sample the packet."
> On a network device there could be various kinds of processing happening on
> the ingress
> - access control policies that may drop the packet
> - packet rate limiting mechanisms that may decide to drop the packet
> - Exception checks like IP TTL, IPv6 Scope check failures etc. which may
> decide to not forward the packet further.
> Would the word "filtering" include all the above scenarios?
> ZC
Received on Sat Apr 3 10:56:43 2010

This archive was generated by hypermail 2.1.8 : 04/03/10 PDT