Sflow for monitoring


Hi,

I'm trying to collect sflow from a BD8800 to use it in a ELK stack.
I'm actually able to receive the sflow data, now i have to parse it to be able to make some search/ analyse on it.
Did anyone know the mapping of sflow data .

Actually i receive somthing like this :

u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0001\xAC\u0010\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0002'\xD3\u0004\u001F\x92H\u0000\u0000\u0000\v\u0000\u0000\u0000\u0002\u0000\u0000\u0000l\u0000\u0000gi\u0000\u0000\u0003\xF2\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000X\u0000\u0000\u0003\xF2\u0000\u0000\u0000\a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000


2 replies

Userlevel 5
I don't understand you mean by "mapping of sflow data", please elaborate. EXOS conforms to the sflow standard defined in RFC 3176 particularly, version 5 which I believe is an improvement over the original FRC. The particular packet structure is defined in the following document: http://www.sflow.org/SFLOW-DATAGRAM5.txt. If you take a packet capture of the traffic an EXOS device is sending to the collector, below is what you should see when you expand the sFlow section:
InMon sFlow Datagram version: 5 Agent address type: IPv4 (1) Agent address: Sub-agent ID: 0 Sequence number: 755859 SysUptime: 1919217650 NumSamples: 11 Counters sample, seq 141485 0000 0000 0000 0000 0000 .... .... .... = Enterprise: standard sFlow (0) .... .... .... .... .... 0000 0000 0010 = sFlow sample type: Counters sample (2) Sample length (byte): 108 Sequence number: 141485 0000 0000 .... .... .... .... .... .... = Source ID type: 0 .... .... 0000 0000 0000 0011 1110 1011 = Source ID index: 1003 Counters records: 1 Generic interface counters 0000 0000 0000 0000 0000 .... .... .... = Enterprise: standard sFlow (0) .... .... .... .... .... 0000 0000 0001 = Format: Generic interface counters (1) Flow data length (byte): 88 Interface index: 1003 Interface Type: 7 Interface Speed: 1000000000 Interface Direction: Full-Duplex (1) .... .... .... .... .... .... .... ...1 = IfAdminStatus: Up .... .... .... .... .... .... .... ..1. = IfOperStatus: Up Input Octets: 16893026 Input Packets: 24396 Input Multicast Packets: 122631 Input Broadcast Packets: 0 Input Discarded Packets: 0 Input Errors: 0 Input Unknown Protocol Packets: 0 Output Octets: 23915928 Output Packets: 24841 Output Multicast Packets: 41351 Output Broadcast Packets: 172509 Output Discarded Packets: 0 Output Errors: 0 Promiscuous Mode: 1 [/code]Is this what you're asking about?
Userlevel 6
looks like you are trying to parse the sflow data yourself and not use a sflow analytic software? There are many software options for turning sflow collected packets into usable data and analysis. We use Solarwinds and have about 3500 interfaces we are getting flow data from.

Reply