topic Sflow for monitoring in ExtremeSwitching (EXOS/Switch Engine)

Sflow for monitoring

Trasschaert_Kar — Thu, 19 May 2016 20:17:00 GMT

Hi,

I'm trying to collect sflow from a BD8800 to use it in a ELK stack.
I'm actually able to receive the sflow data, now i have to parse it to be able to make some search/ analyse on it.
Did anyone know the mapping of sflow data .

Actually i receive somthing like this :

u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0001\xAC\u0010\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0002'\xD3\u0004\u001F\x92H\u0000\u0000\u0000\v\u0000\u0000\u0000\u0002\u0000\u0000\u0000l\u0000\u0000gi\u0000\u0000\u0003\xF2\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000X\u0000\u0000\u0003\xF2\u0000\u0000\u0000\a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000

RE: Sflow for monitoring

Kawawa — Wed, 01 Jun 2016 18:43:00 GMT

I don't understand you mean by "mapping of sflow data", please elaborate. EXOS conforms to the sflow standard defined in RFC 3176 particularly, version 5 which I believe is an improvement over the original FRC. The particular packet structure is defined in the following document: http://www.sflow.org/SFLOW-DATAGRAM5.txt. If you take a packet capture of the traffic an EXOS device is sending to the collector, below is what you should see when you expand the sFlow section:
InMon sFlow Datagram version: 5 Agent address type: IPv4 (1) Agent address: Sub-agent ID: 0 Sequence number: 755859 SysUptime: 1919217650 NumSamples: 11 Counters sample, seq 141485 0000 0000 0000 0000 0000 .... .... .... = Enterprise: standard sFlow (0) .... .... .... .... .... 0000 0000 0010 = sFlow sample type: Counters sample (2) Sample length (byte): 108 Sequence number: 141485 0000 0000 .... .... .... .... .... .... = Source ID type: 0 .... .... 0000 0000 0000 0011 1110 1011 = Source ID index: 1003 Counters records: 1 Generic interface counters 0000 0000 0000 0000 0000 .... .... .... = Enterprise: standard sFlow (0) .... .... .... .... .... 0000 0000 0001 = Format: Generic interface counters (1) Flow data length (byte): 88 Interface index: 1003 Interface Type: 7 Interface Speed: 1000000000 Interface Direction: Full-Duplex (1) .... .... .... .... .... .... .... ...1 = IfAdminStatus: Up .... .... .... .... .... .... .... ..1. = IfOperStatus: Up Input Octets: 16893026 Input Packets: 24396 Input Multicast Packets: 122631 Input Broadcast Packets: 0 Input Discarded Packets: 0 Input Errors: 0 Input Unknown Protocol Packets: 0 Output Octets: 23915928 Output Packets: 24841 Output Multicast Packets: 41351 Output Broadcast Packets: 172509 Output Discarded Packets: 0 Output Errors: 0 Promiscuous Mode: 1 Is this what you're asking about?

RE: Sflow for monitoring

EtherMAN — Wed, 01 Jun 2016 19:03:00 GMT

looks like you are trying to parse the sflow data yourself and not use a sflow analytic software? There are many software options for turning sflow collected packets into usable data and analysis. We use Solarwinds and have about 3500 interfaces we are getting flow data from.