Sflow for monitoring

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi, 

I'm trying to collect sflow from a BD8800 to use it in a ELK stack.
I'm actually able to receive the sflow data, now i have to parse it to be able to make some search/ analyse on it.
Did anyone know the mapping of sflow data .

Actually i receive somthing like this :

u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0001\xAC\u0010\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0002`\xD3\u0004\u001F\x92H\u0000\u0000\u0000\v\u0000\u0000\u0000\u0002\u0000\u0000\u0000l\u0000\u0000gi\u0000\u0000\u0003\xF2\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000X\u0000\u0000\u0003\xF2\u0000\u0000\u0000\a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000
Photo of Trasschaert Karl

Trasschaert Karl

  • 160 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Kawawa

Kawawa, GTAC

  • 3,292 Points 3k badge 2x thumb
I don't understand you mean by "mapping of sflow data", please elaborate. EXOS conforms to the sflow standard defined in RFC 3176 particularly, version 5 which I believe is an improvement over the original FRC.  The particular packet structure is defined in the following document: http://www.sflow.org/SFLOW-DATAGRAM5.txt.  If you take a packet capture of the traffic an EXOS device is sending to the collector, below is what you should see when you expand the sFlow section:
InMon sFlow
    Datagram version: 5
    Agent address type: IPv4 (1)
    Agent address: <switch-ip>
    Sub-agent ID: 0
    Sequence number: 755859
    SysUptime: 1919217650
    NumSamples: 11
    
    Counters sample, seq 141485
        0000 0000 0000 0000 0000 .... .... .... = Enterprise: standard sFlow (0)
        .... .... .... .... .... 0000 0000 0010 = sFlow sample type: Counters sample (2)
        Sample length (byte): 108
        Sequence number: 141485
        0000 0000 .... .... .... .... .... .... = Source ID type: 0
        .... .... 0000 0000 0000 0011 1110 1011 = Source ID index: 1003
        Counters records: 1
        Generic interface counters
            0000 0000 0000 0000 0000 .... .... .... = Enterprise: standard sFlow (0)
            .... .... .... .... .... 0000 0000 0001 = Format: Generic interface counters (1)
            Flow data length (byte): 88
            Interface index: 1003
            Interface Type: 7
            Interface Speed: 1000000000
            Interface Direction: Full-Duplex (1)
            .... .... .... .... .... .... .... ...1 = IfAdminStatus: Up
            .... .... .... .... .... .... .... ..1. = IfOperStatus: Up
            Input Octets: 16893026
            Input Packets: 24396
            Input Multicast Packets: 122631
            Input Broadcast Packets: 0
            Input Discarded Packets: 0
            Input Errors: 0
            Input Unknown Protocol Packets: 0
            Output Octets: 23915928
            Output Packets: 24841
            Output Multicast Packets: 41351
            Output Broadcast Packets: 172509
            Output Discarded Packets: 0
            Output Errors: 0
            Promiscuous Mode: 1
Is this what you're asking about?
(Edited)
Photo of EtherMAN

EtherMAN, Embassador

  • 7,340 Points 5k badge 2x thumb
looks like you are trying to parse the sflow data yourself and not use a sflow analytic software?  There are many software options for turning sflow collected packets into usable data and analysis.   We use Solarwinds and have about 3500 interfaces we are getting flow data from.