RFC relevance of sampling

As per Relevance of the word sampling, we have this rfc below:

Network Working Group P.
Request for Comments: 3176 S.
Category: Informational N.
InMon Corp
September 2001

InMon Corporation's sFlow: A Method for Monitoring Traffic
Switched and Routed

Status of this

This memo provides information for the Internet community. It
not specify an Internet standard of any kind. Distribution of
memo is unlimited

Copyright

Copyright (C) The Internet Society (2001). All Rights Reserved

This memo defines InMon Coporation's sFlow system. sFlow is
technology for monitoring traffic in data networks
switches and routers. In particular, it defines the
mechanisms implemented in an sFlow Agent for monitoring traffic,
sFlow MIB for controlling the sFlow Agent, and the format of
data used by the sFlow Agent when forwarding data to a central
collector

Table of

1. Overview ..................................................... 2
2. Sampling Mechanisms .......................................... 2
2.1 Sampling of Switched Flows ............................... 3
2.1.1 Distributed Switching .............................. 4
2.1.2 Random Number Generation ........................... 4
2.2 Sampling of Network Interface Statistics ................. 4
3. sFlow MIB .................................................... 5
3.1 The SNMP Management Framework ............................ 5
3.2 Definitions .............................................. 6
4. sFlow Datagram Format ........................................ 14
5. Security Considerations ...................................... 25
5.1 Control .................................................. 26
5.2 Transport ................................................ 26
5.3 Confidentiality .......................................... 26
6. References ................................................... 27
7. Authors' Addresses ........................................... 29

Phaal, et al. Informational [Page 1]

RFC 3176 InMon Corporation's sFlow September 2001

8. Intellectual Property Statement .............................. 30
9. Full Copyright Statement ..................................... 31

1.

sFlow is a technology for monitoring traffic in data
containing switches and routers. In particular, it defines
sampling mechanisms implemented in an sFlow Agent for
traffic, the sFlow MIB for controlling the sFlow Agent, and
format of sample data used by the sFlow Agent when forwarding data
a central data collector

The architecture and sampling techniques used in the sFlow
system are designed to provide continuous site-wide (and network
wide) traffic monitoring for high speed switched and routed networks

The design specifically addresses issues associated with

o Accurately monitoring network traffic at Gigabit speeds and higher

o Scaling to manage tens of thousands of agents from a single point

o Extremely low cost agent implementation

The sFlow monitoring system consists of an sFlow Agent (embedded in
switch or router or in a stand alone probe) and a central
collector, or sFlow Analyzer

The sFlow Agent uses sampling technology to capture
statistics from the device it is monitoring. sFlow Datagrams
used to immediately forward the sampled traffic statistics to
sFlow Analyzer for analysis

This document describes the sampling mechanisms used by the
Agent, the SFLOW MIB used by the sFlow Analyzer to control the
Agent, and the sFlow Datagram Format used by the sFlow Agent to
traffic data to the sFlow Analyzer

2. Sampling

The sFlow Agent uses two forms of sampling: statistical packet-
sampling of switched flows, and time-based sampling of
interface statistics

Phaal, et al. Informational [Page 2]

RFC 3176 InMon Corporation's sFlow September 2001

2.1 Sampling of Switched

A flow is defined as all the packets that are received on
interface, enter the Switching/Routing Module and are sent to
interface. In the case of a one-armed router, the source
destination interface could be the same. In the case of a
or multicast packet there may be multiple destination interfaces
The sampling mechanism must ensure that any packet involved in a
has an equal chance of being sampled, irrespective of the flow
which it belongs

Sampling flows is accomplished as follows: When a packet arrives
an interface, a filtering decision is made that determines
the packet should be dropped. If the packet is not filtered
destination interface is assigned by the switching/routing function
At this point a decision is made on whether or not to sample
packet. The mechanism involves a counter that is decremented
each packet. When the counter reaches zero a sample is taken
Whether or not a sample is taken, the counter Total_Packets
incremented. Total_Packets is a count of all the packets that
have been sampled

Taking a sample involves either copying the packet's header,
extracting features from the packet (see sFlow Datagram Format for
description of the different forms of sample). Every time a
is taken, the counter Total_Samples, is incremented. Total_
is a count of the number of samples generated. Samples are sent
the sampling entity to the sFlow Agent for processing. The
includes the packet information, and the values of the Total_
and Total_Samples counters

When a sample is taken, the counter indicating how many packets
skip before taking the next sample should be reset. The value of
counter should be set to a random integer where the sequence
random integers used over time should be such

(1) Total_Packets/Total_Samples =

An alternative strategy for packet sampling is to generate a
number for each packet, compare the random number to a
threshold and take a sample whenever the random number is
than the threshold value. Calculation of an appropriate
value depends on the characteristics of the random number generator
however, the resulting sample stream must still satisfy (1).

Phaal, et al. Informational [Page 3]

RFC 3176 InMon Corporation's sFlow September 2001

2.1.1 Distributed

The SFLOW MIB permits separate sampling entities to be
with different physical or logical elements of the switch (such
interfaces, backplanes or VLANs). Each sampling engine has its
independent state (i.e., Total_Packets, Total_Samples, Skip
Rate), and forwards its own sample messages to the sFlow Agent.
sFlow Agent is responsible for packaging the samples into
for transmission to an sFlow Analyzer

2.1.2 Random Number

The essential property of the random number generator is that
mean value of the numbers it generates converges to the
sampling rate

A uniform distribution random number generator is very effective
The range of skip counts (the variance) does not significantly
results; variation of +-10% of the mean value is sufficient

The random number generator must ensure that all numbers in the
between its maximum and minimum values of the distribution
possible; a random number generator only capable of generating
numbers, or numbers with any common divisor is unsuitable

A new skip value is only required every time a sample is taken

2.2 Sampling of Network Interface

The objective of the counter sampling is to efficiently,
poll each data source on the device and extract key statistics

For efficiency and scalability reasons, the sFlow System
counter polling in the sFlow Agent. A maximum polling interval
assigned to the agent, but the agent is free to schedule polling
order maximize internal efficiency

Flow sampling and counter sampling are designed as part of
integrated system. Both types of samples are combined in
Datagrams. Since flow sampling will cause a steady, but random
stream of datagrams to be sent to the sFlow Analyzer, counter
may be taken opportunistically in order to fill these datagrams

One strategy for counter sampling has the sFlow Agent keep a list
counter sources being sampled. When a flow sample is generated
sFlow Agent examines the list and adds counters to the
datagram, least recently sampled first. Counters are only added
the datagram if the sources are within a short period, 5 seconds say

Phaal, et al. Informational [Page 4]

RFC 3176 InMon Corporation's sFlow September 2001

of failing to meet the required sampling interval (
sFlowCounterSamplingInterval in SFLOW MIB). Whenever a
source's statistics are added to a sample datagram, the time
counter source was last sampled is updated and the counter source
placed at the end of the list. Periodically, say every second,
sFlow Agent examines the list of counter sources and sends
counters that need to be sent to meet the sampling
requirement

Alternatively, if the agent regularly schedules counter sampling
then it should schedule each counter source at a different start
(preferably randomly) so that counter sampling is not
within an agent or between agents

3. sFlow

The sFlow MIB defines a control interface for an sFlow Agent.
interface provides a standard mechanism for remotely controlling
configuring an sFlow Agent

3.1 The SNMP Management

The SNMP Management Framework presently consists of five
components

o An overall architecture, described in RFC 2571 [2].

o Mechanisms for describing and naming objects and events for
purpose of management. The first version of this Structure
Management Information (SMI) is called SMIv1 and described in
16,

RFC 1155 [3], STD 16, RFC 1212 [4] and RFC 1215 [5]. The
version, called SMIv2, is described in STD 58, RFC 2578 [6],
58, RFC 2579 [7] and STD 58, RFC 2580 [8].

o Message protocols for transferring management information.
first version of the SNMP message protocol is called SNMPv1
described in STD 15, RFC 1157 [9]. A second version of the
message protocol, which is not an Internet standards
protocol, is called SNMPv2c and described in RFC 1901 [10] and
1906 [11]. The third version of the message protocol is
SNMPv3 and described in RFC 1906 [11], RFC 2572 [12] and RFC 2574
[13].

Phaal, et al. Informational [Page 5]

RFC 3176 InMon Corporation's sFlow September 2001

o Protocol operations for accessing management information.
first set of protocol operations and associated PDU formats
described in STD 15, RFC 1157 [9]. A second set of
operations and associated PDU formats is described in RFC 1905
[14].

o A set of fundamental applications described in RFC 2573 [15]
the view-based access control mechanism described in RFC 2575
[16].

A more detailed introduction to the current SNMP Management
can be found in RFC 2570 [17].

Managed objects are accessed via a virtual information store,
the Management Information Base or MIB. Objects in the MIB
defined using the mechanisms defined in the SMI

This memo specifies a MIB module that is compliant to the SMIv2.
MIB conforming to the SMIv1 can be produced through the
translations. The resulting translated MIB must be
equivalent, except where objects or events are omitted because
translation is possible (use of Counter64). Some machine
information in SMIv2 will be converted into textual descriptions
SMIv1 during the translation process. However, this loss of
readable information is not considered to change the semantics of
MIB

3.2

SFLOW-MIB DEFINITIONS ::=

MODULE-IDENTITY, OBJECT-TYPE, Integer32,
FROM SNMPv2-

FROM SNMP-FRAMEWORK-

FROM RMON-
InetAddressType,
FROM INET-ADDRESS-
MODULE-COMPLIANCE, OBJECT-
FROM SNMPv2-CONF

sFlowMIB MODULE-
LAST-UPDATED "200105150000Z" -- May 15, 2001
ORGANIZATION "InMon Corp."
CONTACT-

Phaal, et al. Informational [Page 6]

RFC 3176 InMon Corporation's sFlow September 2001

"Peter
InMon Corp
http://www.inmon.com

Tel: +1-415-661-6343
Email: peter_phaal@inmon.com

"The MIB module for managing the generation and
of sFlow data records."

--
-- Revision
--
REVISION "200105150000Z" -- May 15, 2001

"Version 1.2

Brings MIB into SMI v2 compliance."

REVISION "200105010000Z" -- May 1, 2001

"Version 1.1

Adds sFlowDatagramVersion."
::= { enterprises 4300 1 }

sFlowAgent OBJECT IDENTIFIER ::= { sFlowMIB 1 }

sFlowVersion OBJECT-
SYNTAX
MAX-ACCESS read-
STATUS

"Uniquely identifies the version and implementation of this MIB
The version string must have the following structure
;<Organization>;<Software Revision
where
must be '1.2', the version of this MIB
<Organization> the name of the organization
for the agent implementation
<Revision> the specific software build of this agent

As an example, the string '1.2;InMon Corp.;2.1.1'
that this agent implements version '1.2' of the SFLOW MIB,
it was developed by 'InMon Corp.' and that the software
is '2.1.1'.

The MIB Version will change with each revision of the

Phaal, et al. Informational [Page 7]

RFC 3176 InMon Corporation's sFlow September 2001

MIB

Management entities must check the MIB Version and not
to manage agents with MIB Versions greater than that for
they were designed

Note: The sFlow Datagram Format has an independent
number which may change independently from .
applies to the structure and semantics
the SFLOW MIB only."
DEFVAL { "1.2;;" }
::= { sFlowAgent 1 }

sFlowAgentAddressType OBJECT-
SYNTAX
MAX-ACCESS read-
STATUS

"The address type of the address associated with this agent
Only ipv4 and ipv6 types are supported."
::= { sFlowAgent 2 }

sFlowAgentAddress OBJECT-
SYNTAX
MAX-ACCESS read-
STATUS

"The IP address associated with this agent. In the case of
multi-homed agent, this should be the loopback address of
agent. The sFlowAgent address must provide SNMP
to the agent. The address should be an invariant that does
change as interfaces are reconfigured, enabled, disabled
added or removed. A manager should be able to use
sFlowAgentAddress as a unique key that will identify
agent over extended periods of time so that a history
be maintained."
::= { sFlowAgent 3 }

sFlowTable OBJECT-
SYNTAX SEQUENCE OF
MAX-ACCESS not-
STATUS

"A table of the sFlow samplers within a device."
::= { sFlowAgent 4 }

sFlowEntry OBJECT-
SYNTAX

Phaal, et al. Informational [Page 8]

RFC 3176 InMon Corporation's sFlow September 2001

MAX-ACCESS not-
STATUS

"Attributes of an sFlow sampler."
INDEX { sFlowDataSource }
::= { sFlowTable 1 }

SFlowEntry ::= SEQUENCE {
sFlowDataSource OBJECT IDENTIFIER
sFlowOwner OwnerString
sFlowTimeout Integer32,
sFlowPacketSamplingRate Integer32,
sFlowCounterSamplingInterval Integer32,
sFlowMaximumHeaderSize Integer32,
sFlowMaximumDatagramSize Integer32,
sFlowCollectorAddressType InetAddressType
sFlowCollectorAddress InetAddress
sFlowCollectorPort Integer32,
sFlowDatagramVersion Integer32

sFlowDataSource OBJECT-
SYNTAX OBJECT
MAX-ACCESS read-
STATUS

"Identifies the source of the data for the sFlow sampler
The following data source types are currently defined

- ifIndex. DataSources of this traditional form are called 'port-based'.
Ideally the sampling entity will perform sampling on all
originating from or destined to the specified interface
However, if the switch architecture only permits input
output sampling then the sampling agent is permitted to
sample input flows input or output flows. Each packet
only be considered once for sampling, irrespective of
number of ports it will be forwarded to

Note: Port 0 is used to indicate that all ports on the
are represented by a single data source
- sFlowPacketSamplingRate applies to all ports on
device capable of packet sampling
- sFlowCounterSamplingInterval applies to all ports

- smonVlanDataSource. A dataSource of this form refers to a 'Packet-based VLAN
and is called a 'VLAN-based' dataSource. is the

Phaal, et al. Informational [Page 9]

RFC 3176 InMon Corporation's sFlow September 2001

ID as defined by the IEEE 802.1Q standard.
value is between 1 and 4094 inclusive, and it
an 802.1Q VLAN-ID with global scope within a
bridged domain
Sampling is performed on all packets received that are
of the specified VLAN (no matter which port they arrived on).
Each packet will only be considered once for sampling
irrespective of the number of ports it will be forwarded to

- entPhysicalEntry. A dataSource of this form refers to a physical entity
the agent (e.g., entPhysicalClass = backplane(4)) and is
an 'entity-based' dataSource
Sampling is performed on all packets entering the resource (e.g
If the backplane is being sampled, all packets transmitted
the backplane will be considered as single candidates
sampling irrespective of the number of ports they
reach).

Note: Since each DataSource operates independently, a
that crosses multiple DataSources may generate
flow records."
::= { sFlowEntry 1 }

sFlowOwner OBJECT-
SYNTAX
MAX-ACCESS read-
STATUS

"The entity making use of this sFlow sampler. The empty
indicates that the sFlow sampler is currently unclaimed
An entity wishing to claim an sFlow sampler must make
that the sampler is unclaimed before trying to claim it
The sampler is claimed by setting the owner string to
the entity claiming the sampler. The sampler must be
before any changes can be made to other sampler objects

In order to avoid a race condition, the entity taking
of the sampler must set both the owner and a value
sFlowTimeout in the same SNMP set request

When a management entity is finished using the sampler
it should set its value back to unclaimed. The
must restore all other entities this row to
default values when the owner is set to unclaimed

This mechanism provides no enforcement and relies on
cooperation of management entities in order to ensure

Phaal, et al. Informational [Page 10]

RFC 3176 InMon Corporation's sFlow September 2001

competition for a sampler is fairly resolved."
DEFVAL { "" }
::= { sFlowEntry 2 }

sFlowTimeout OBJECT-
SYNTAX Integer32
MAX-ACCESS read-
STATUS

"The time (in seconds) remaining before the sampler is
and stops sampling. When set, the owner establishes
for the specified period. When read, the remaining time in
interval is returned

A management entity wanting to maintain control of the
is responsible for setting a new value before the old
expires

When the interval expires, the agent is responsible
restoring all other entities in this row to their
values."
DEFVAL { 0 }
::= { sFlowEntry 3 }

sFlowPacketSamplingRate OBJECT-
SYNTAX Integer32
MAX-ACCESS read-
STATUS

"The statistical sampling rate for packet sampling from
source

Set to N to sample 1/Nth of the packets in the monitored flows
An agent should choose its own algorithm introduce
into the sampling so that exactly every Nth packet is
counted. A sampling rate of 1 counts all packets. A
rate of 0 disables sampling

The agent is permitted to have minimum and maximum
values for the sampling rate. A minimum rate lets the
designer set an upper bound on the overhead associated
sampling, and a maximum rate may be the result of
restrictions (such as counter size). In addition not all
between the maximum and minimum may be realizable as
sampling rate (again because of implementation considerations).

When the sampling rate is set the agent is free to adjust
value so that it lies between the maximum and minimum

Phaal, et al. Informational [Page 11]

RFC 3176 InMon Corporation's sFlow September 2001

and has the closest achievable value

When read, the agent must return the actual sampling rate
will be using (after the adjustments previously described).
sampling algorithm must converge so that over time the
of packets sampled approaches 1/Nth of the total number
packets in the monitored flows."
DEFVAL { 0 }
::= { sFlowEntry 4 }

sFlowCounterSamplingInterval OBJECT-
SYNTAX Integer32
MAX-ACCESS read-
STATUS

"The maximum number of seconds between successive samples of
counters associated with this data source. A sampling
of 0 disables counter sampling."
DEFVAL { 0 }
::= { sFlowEntry 5 }

sFlowMaximumHeaderSize OBJECT-
SYNTAX Integer32
MAX-ACCESS read-
STATUS

"The maximum number of bytes that should be copied from
sampled packet. The agent may have an internal maximum
minimum permissible sizes. If an attempt is made to set
value outside the permissible range then the agent
adjust the value to the closest permissible value."
DEFVAL { 128 }
::= { sFlowEntry 6 }

sFlowMaximumDatagramSize OBJECT-
SYNTAX Integer32
MAX-ACCESS read-
STATUS

"The maximum number of data bytes that can be sent in a
sample datagram. The manager should set this value to
fragmentation of the sFlow datagrams."
DEFVAL { 1400 }
::= { sFlowEntry 7 }

sFlowCollectorAddressType OBJECT-
SYNTAX
MAX-ACCESS read-

Phaal, et al. Informational [Page 12]

RFC 3176 InMon Corporation's sFlow September 2001

STATUS

"The type of sFlowCollectorAddress."
DEFVAL { ipv4 }
::= { sFlowEntry 8 }

sFlowCollectorAddress OBJECT-
SYNTAX
MAX-ACCESS read-
STATUS

"The IP address of the sFlow collector
If set to 0.0.0.0 all sampling is disabled."
DEFVAL { "0.0.0.0" }
::= { sFlowEntry 9 }

sFlowCollectorPort OBJECT-
SYNTAX Integer32
MAX-ACCESS read-
STATUS

"The destination port for sFlow datagrams."
DEFVAL { 6343 }
::= { sFlowEntry 10 }

sFlowDatagramVersion OBJECT-
SYNTAX Integer32
MAX-ACCESS read-
STATUS

"The version of sFlow datagrams that should be sent

When set to a value not support by the agent, the agent
adjust the value to the highest supported value less than
requested value, or return an error if no such values exist."
DEFVAL { 4 }
::= { sFlowEntry 11 }

--
-- Compliance
--

sFlowMIBConformance OBJECT IDENTIFIER ::= { sFlowMIB 2 }
sFlowMIBGroups OBJECT IDENTIFIER ::= { sFlowMIBConformance 1 }
sFlowMIBCompliances OBJECT IDENTIFIER ::= { sFlowMIBConformance 2 }

sFlowCompliance MODULE-
STATUS

Phaal, et al. Informational [Page 13]

RFC 3176 InMon Corporation's sFlow September 2001

"Compliance statements for the sFlow Agent."

MODULE -- this
MANDATORY-GROUPS { sFlowAgentGroup }
OBJECT
SYNTAX InetAddressType { ipv4(1) }

"Agents need only support ipv4."

OBJECT
SYNTAX InetAddressType { ipv4(1) }

"Agents need only support ipv4."

::= { sFlowMIBCompliances 1 }

sFlowAgentGroup OBJECT-
OBJECTS { sFlowVersion, sFlowAgentAddressType, sFlowAgentAddress
sFlowDataSource, sFlowOwner, sFlowTimeout
sFlowPacketSamplingRate, sFlowCounterSamplingInterval
sFlowMaximumHeaderSize, sFlowMaximumDatagramSize
sFlowCollectorAddressType, sFlowCollectorAddress
sFlowCollectorPort, sFlowDatagramVersion }
STATUS

"A collection of objects for managing the generation
transportation of sFlow data records."
::= { sFlowMIBGroups 1 }

The sFlow MIB references definitions from a number of existing
[18], [19], [20] and [21].

4. sFlow Datagram

The sFlow datagram format specifies a standard format for the
Agent to send sampled data to a remote data collector

The format of the sFlow datagram is specified using the XDR
[1]. XDR is more compact than ASN.1 and simpler for the sFlow
to encode and the sFlow Analyzer to decode

Samples are sent as UDP packets to the host and port specified in
SFLOW MIB. The lack of reliability in the UDP transport
does not significantly affect the accuracy of the
obtained from an sFlow Agent

Phaal, et al. Informational [Page 14]

RFC 3176 InMon Corporation's sFlow September 2001

o If counter samples are lost then new values will be sent
the next polling interval. The chance of an undetected
wrap is negligible. The sFlow datagram specifies 64 bit
counters, and with typical counter polling intervals between 20
120 seconds, the chance of a long enough sequence of
datagrams being lost to hide a counter wrap is very small

o The net effect of lost flow samples is a slight reduction in
effective sampling rate

The use of UDP reduces the amount of memory required to buffer data
UDP also provides a robust means of delivering timely
information during periods of intense traffic (such as a denial
service attack). UDP is more robust than a reliable
mechanism because under overload the only effect on overall
performance is a slight increase in transmission delay and a
number of lost packets, neither of which has a significant effect
an sFlow-based monitoring system. If a reliable transport
were used then an overload would introduce long transmission
and require large amounts of buffer memory on the agent

While the sFlow Datagram structure permits multiple samples to
included in each datagram, the sampling agent must not wait for
buffer to fill with samples before sending the sample datagram
sFlow sampling is intended to provide timely information on traffic
The agent may at most delay a sample by 1 second before it
required to send the datagram

The agent should try to piggyback counter samples on the
stream resulting from flow sampling. Before sending out a
the remaining space in the buffer can be filled with counter samples
The agent has discretion in the timing of its counter polling,
specified counter sampling intervals sFlowCounterSamplingInterval
a maximum, so the agent is free to sample counters early if it
space in a datagram. If counters must be sent in order to
the maximum sampling interval then a datagram must be sent
the outstanding counters

The following is the XDR description of an sFlow Datagram

/* sFlow Datagram Version 4 */

/* Revision
- version 4 adds support BGP
- version 3 adds support for extended_url
*/

/* sFlow Sample types */

Phaal, et al. Informational [Page 15]

RFC 3176 InMon Corporation's sFlow September 2001

/* Address Types */

typedef opaque ip_v4[4];
typedef opaque ip_v6[16];

enum address_type {
IP_V4 = 1,
IP_V6 = 2

union address (address_type type) {
case IP_V4:
ip_v4;
case IP_V6:
ip_v6;

/* Packet header data */

const MAX_HEADER_SIZE = 256; /* The maximum sampled header size. */

/* The header protocol describes the format of the sampled header */
enum header_protocol {
ETHERNET-ISO8023 = 1,
ISO88024-TOKENBUS = 2,
ISO88025-TOKENRING = 3,
FDDI = 4,
FRAME-RELAY = 5,
X25 = 6,
PPP = 7,
SMDS = 8,
AAL5 = 9,
AAL5-IP = 10, /* e.g., Cisco AAL5 mux */
IPv4 = 11,
IPv6 = 12,
MPLS = 13

struct sampled_header {
header_protocol protocol; /* Format of sampled header */
unsigned int frame_length; /* Original length of packet
sampling */
opaque header; /* Header bytes */

/* Packet IP version 4 data */

struct sampled_ipv4 {

Phaal, et al. Informational [Page 16]

RFC 3176 InMon Corporation's sFlow September 2001

unsigned int length; /* The length of the IP packet
lower layer encapsulations */
unsigned int protocol; /* IP Protocol
(for example, TCP = 6, UDP = 17) */
ip_v4 src_ip; /* Source IP Address */
ip_v4 dst_ip; /* Destination IP Address */
unsigned int src_port; /* TCP/UDP source port number
equivalent */
unsigned int dst_port; /* TCP/UDP destination port number
equivalent */
unsigned int tcp_flags; /* TCP flags */
unsigned int tos; /* IP type of service */

/* Packet IP version 6 data */

struct sampled_ipv6 {
unsigned int length; /* The length of the IP packet
lower layer encapsulations */
unsigned int protocol; /* IP next
(for example, TCP = 6, UDP = 17) */
ip_v6 src_ip; /* Source IP Address */
ip_v6 dst_ip; /* Destination IP Address */
unsigned int src_port; /* TCP/UDP source port number
equivalent */
unsigned int dst_port; /* TCP/UDP destination port number
equivalent */
unsigned int tcp_flags; /* TCP flags */
unsigned int priority; /* IP priority */

/* Packet data */

enum packet_information_type {
HEADER = 1, /* Packet headers are sampled */
IPV4 = 2, /* IP version 4 data */
IPV6 = 3 /* IP version 6 data */

union packet_data_type (packet_information_type type) {
case HEADER
sampled_header header
case IPV4:
sampled_ipv4 ipv4;
case IPV6:
sampled_ipv6 ipv6;

Phaal, et al. Informational [Page 17]

RFC 3176 InMon Corporation's sFlow September 2001

/* Extended data types */

/* Extended switch data */

struct extended_switch {
unsigned int src_vlan; /* The 802.1Q VLAN id of incoming frame */
unsigned int src_priority; /* The 802.1p priority of
frame */
unsigned int dst_vlan; /* The 802.1Q VLAN id of outgoing frame */
unsigned int dst_priority; /* The 802.1p priority of
frame */

/* Extended router data */

struct extended_router {
address nexthop; /* IP address of next hop router */
unsigned int src_mask; /* Source address prefix mask bits */
unsigned int dst_mask; /* Destination address prefix mask bits */

/* Extended gateway data */

enum as_path_segment_type {
AS_SET = 1, /* Unordered set of ASs */
AS_SEQUENCE = 2 /* Ordered set of ASs */

union as_path_type (as_path_segment_type) {
case AS_SET
unsigned int as_set<>;
case AS_SEQUENCE
unsigned int as_sequence<>;

struct extended_gateway {
unsigned int as; /* Autonomous system number of router */
unsigned int src_as; /* Autonomous system number of source */
unsigned int src_peer_as; /* Autonomous system number of
peer */
as_path_type dst_as_path<>; /* Autonomous system path to
destination */
unsigned int communities<>; /* Communities associated with
route */
unsigned int localpref; /* LocalPref associated with
route */

Phaal, et al. Informational [Page 18]

RFC 3176 InMon Corporation's sFlow September 2001

/* Extended user data */

struct extended_user {
string src_user<>; /* User ID associated with
source */
string dst_user<>; /* User ID associated with
destination */

/* Extended URL data */

enum url_direction {
src = 1, /* URL is associated with
address */
dst = 2 /* URL is associated with
address */

struct extended_url {
url_direction direction; /* URL associated with packet source */
string url<>; /* URL associated with the packet flow */

/* Extended data */
enum extended_information_type {
SWITCH = 1, /* Extended switch information */
ROUTER = 2, /* Extended router information */
GATEWAY = 3, /* Extended gateway router information */
USER = 4, /* Extended TACACS/RADIUS user information */
URL = 5 /* Extended URL information */

union extended_data_type (extended_information_type type) {
case SWITCH
extended_switch switch
case ROUTER
extended_router router
case GATEWAY
extended_gateway gateway
case USER
extended_user user
case URL
extended_url url

/* Format of a single flow sample */

Phaal, et al. Informational [Page 19]

RFC 3176 InMon Corporation's sFlow September 2001

struct flow_sample {
unsigned int sequence_number; /* Incremented with each flow
generated by this source_id */
unsigned int source_id; /* sFlowDataSource encoded as follows
The most significant byte of
source_id is used to indicate
type of
(0 = ifIndex
1 = smonVlanDataSource
2 = entPhysicalEntry) and
lower three bytes contain
relevant index value.*/

unsigned int sampling_rate; /* sFlowPacketSamplingRate */
unsigned int sample_pool; /* Total number of packets that
have been sampled (i.e.,
skipped by sampling process +
number of samples) */
unsigned int drops; /* Number times a packet was
due to lack of resources */

unsigned int input; /* SNMP ifIndex of input interface
0 if interface is not known. */
unsigned int output; /* SNMP ifIndex of output interface
0 if interface is not known
Set most significant bit
indicate multiple
interfaces (i.e., in case
broadcast or multicast
and set lower order bits
indicate number of
interfaces
Examples
0x00000002 indicates ifIndex =
2
0x00000000 ifIndex unknown
0x80000007 indicates a
sent to 7
interfaces
0x80000000 indicates a
sent to an
number of
greater than 1. */

packet_data_type packet_data; /* Information about
packet */
extended_data_type extended_data<>; /* Extended flow information */

Phaal, et al. Informational [Page 20]

RFC 3176 InMon Corporation's sFlow September 2001

/* Counter types */

/* Generic interface counters - see RFC 2233 */

struct if_counters {
unsigned int ifIndex
unsigned int ifType
unsigned hyper ifSpeed
unsigned int ifDirection; /* derived from MAU MIB (RFC 2668)
0 = unknown, 1=full-duplex
2=half-duplex, 3 = in, 4=out */
unsigned int ifStatus; /* bit field with the following

bit 0 =
(0 = down, 1 = up
bit 1 =
(0 = down, 1 = up) */
unsigned hyper ifInOctets
unsigned int ifInUcastPkts
unsigned int ifInMulticastPkts
unsigned int ifInBroadcastPkts
unsigned int ifInDiscards
unsigned int ifInErrors
unsigned int ifInUnknownProtos
unsigned hyper ifOutOctets
unsigned int ifOutUcastPkts
unsigned int ifOutMulticastPkts
unsigned int ifOutBroadcastPkts
unsigned int ifOutDiscards
unsigned int ifOutErrors
unsigned int ifPromiscuousMode

/* Ethernet interface counters - see RFC 2358 */

struct ethernet_counters {
if_counters generic
unsigned int dot3StatsAlignmentErrors
unsigned int dot3StatsFCSErrors
unsigned int dot3StatsSingleCollisionFrames
unsigned int dot3StatsMultipleCollisionFrames
unsigned int dot3StatsSQETestErrors
unsigned int dot3StatsDeferredTransmissions
unsigned int dot3StatsLateCollisions
unsigned int dot3StatsExcessiveCollisions
unsigned int dot3StatsInternalMacTransmitErrors
unsigned int dot3StatsCarrierSenseErrors
unsigned int dot3StatsFrameTooLongs

Phaal, et al. Informational [Page 21]

RFC 3176 InMon Corporation's sFlow September 2001

unsigned int dot3StatsInternalMacReceiveErrors
unsigned int dot3StatsSymbolErrors

/* FDDI interface counters - see RFC 1512 */
struct fddi_counters {
if_counters generic

/* Token ring counters - see RFC 1748 */

struct tokenring_counters {
if_counters generic
unsigned int dot5StatsLineErrors
unsigned int dot5StatsBurstErrors
unsigned int dot5StatsACErrors
unsigned int dot5StatsAbortTransErrors
unsigned int dot5StatsInternalErrors
unsigned int dot5StatsLostFrameErrors
unsigned int dot5StatsReceiveCongestions
unsigned int dot5StatsFrameCopiedErrors
unsigned int dot5StatsTokenErrors
unsigned int dot5StatsSoftErrors
unsigned int dot5StatsHardErrors
unsigned int dot5StatsSignalLoss
unsigned int dot5StatsTransmitBeacons
unsigned int dot5StatsRecoverys
unsigned int dot5StatsLobeWires
unsigned int dot5StatsRemoves
unsigned int dot5StatsSingles
unsigned int dot5StatsFreqErrors

/* 100 BaseVG interface counters - see RFC 2020 */

struct vg_counters {
if_counters generic
unsigned int dot12InHighPriorityFrames
unsigned hyper dot12InHighPriorityOctets
unsigned int dot12InNormPriorityFrames
unsigned hyper dot12InNormPriorityOctets
unsigned int dot12InIPMErrors
unsigned int dot12InOversizeFrameErrors
unsigned int dot12InDataErrors
unsigned int dot12InNullAddressedFrames
unsigned int dot12OutHighPriorityFrames
unsigned hyper dot12OutHighPriorityOctets
unsigned int dot12TransitionIntoTrainings

Phaal, et al. Informational [Page 22]

RFC 3176 InMon Corporation's sFlow September 2001

unsigned hyper dot12HCInHighPriorityOctets
unsigned hyper dot12HCInNormPriorityOctets
unsigned hyper dot12HCOutHighPriorityOctets

/* WAN counters */

struct wan_counters {
if_counters generic

/* VLAN counters */

struct vlan_counters {
unsigned int vlan_id
unsigned hyper octets
unsigned int ucastPkts
unsigned int multicastPkts
unsigned int broadcastPkts
unsigned int discards

/* Counter data */

enum counters_version {
GENERIC = 1,
ETHERNET = 2,
TOKENRING = 3,
FDDI = 4,
VG = 5,
WAN = 6,
VLAN = 7

union counters_type (counters_version version) {
case GENERIC
if_counters generic
case ETHERNET
ethernet_counters ethernet
case TOKENRING
tokenring_counters tokenring
case FDDI
fddi_counters fddi
case VG
vg_counters vg
case WAN
wan_counters wan
case VLAN

Phaal, et al. Informational [Page 23]

RFC 3176 InMon Corporation's sFlow September 2001

vlan_counters vlan

/* Format of a single counter sample */

struct counters_sample {
unsigned int sequence_number; /* Incremented with each
sample generated by
source_id */
unsigned int source_id; /* sFlowDataSource encoded
follows
The most significant byte of
source_id is used to indicate
type of
(0 = ifIndex
1 = smonVlanDataSource
2 = entPhysicalEntry) and
lower
bytes contain the
index value.*/

unsigned int sampling_interval; /* sFlowCounterSamplingInterval*/
counters_type counters

/* Format of a sample datagram */

enum sample_types {
FLOWSAMPLE = 1,
COUNTERSSAMPLE = 2

union sample_type (sample_types sampletype) {
case FLOWSAMPLE
flow_sample flowsample
case COUNTERSSAMPLE
counters_sample counterssample

struct sample_datagram_v4 {
address agent_address /* IP address of sampling agent
sFlowAgentAddress. */
unsigned int sequence_number; /* Incremented with each
datagram generated */
unsigned int uptime; /* Current time (in milliseconds
device last booted). Should be
as close to datagram
time as possible.*/

Phaal, et al. Informational [Page 24]

RFC 3176 InMon Corporation's sFlow September 2001

sample_type samples<>; /* An array of flow, counter and
samples */

enum datagram_version {
VERSION4 = 4

union sample_datagram_type (datagram_version version) {
case VERSION4:
sample_datagram_v4 datagram

struct sample_datagram {
sample_datagram_type version

The sFlow Datagram specification makes use of definitions from
number of existing RFCs [22], [23], [24], [25], [26], [27] and [28].

5. Security

Deploying a traffic monitoring system raises a number of
related issues. sFlow does not provide specific security mechanisms
relying instead on proper deployment and configuration to maintain
adequate level of security

While the deployment of traffic monitoring systems does create
risk, it also provides a powerful means of detecting and
unauthorized network activity

This section is intended to provide information that will
understand potential risks and configuration options for
those risks

5.1

The sFlow MIB is used to configure the generation of sFlow samples
The security of SNMP, with access control lists, is
considered adequate in an enterprise setting. However, there
situations when these security measures are insufficient (for
a WAN router) and SNMP configuration control will be disabled

When SNMP is disabled, a command line interface is
provided. The following arguments are required to configure
sampling on an interface

Phaal, et al. Informational [Page 25]

RFC 3176 InMon Corporation's sFlow September 2001

-sFlowDataSource -sFlowPacketSamplingRate -sFlowCounterSamplingInterval <interval
-sFlowMaximumHeaderSize
-sFlowMaximumDatagramSize <datagram size
-sFlowCollectorAddress -sFlowCollectorPort
5.2

Traffic information is sent unencrypted across the network from
sFlow Agent to the sFlow Analyzer and is thus vulnerable
eavesdropping. This risk can be limited by creating a
measurement network and routing the sFlow Datagrams over
network. The choice of technology for creating the
measurement network is deployment specific, but could include the
of VLANs or VPN tunnels

The sFlow Analyzer is vulnerable to attacks involving spoofed
Datagrams. To limit this vulnerability the sFlow Analyzer
check sequence numbers and verify source addresses. If a
measurement network has been constructed then only sFlow
received from that network should be processed

5.3

Traffic information can reveal confidential information
individual network users. The degree of visibility of
level data can be controlled by limiting the number of header
captured by the sFlow agent. In addition, packet sampling makes
virtually impossible to capture sequences of packets from
individual transaction

The traffic patterns discernible by decoding the sFlow Datagrams
the sFlow Analyzer can reveal details of an individual's
related activities and due care should be taken to secure access
the sFlow Analyzer

6.

[1] Sun Microsystems, Inc., "XDR: External Data
Standard", RFC 1014, June 1987.

[2] Harrington, D., Presuhn, R., and B. Wijnen, "An
for Describing SNMP Management Frameworks", RFC 2571,
1999.

Phaal, et al. Informational [Page 26]

RFC 3176 InMon Corporation's sFlow September 2001

[3] Rose, M. and K. McCloghrie, "Structure and Identification
Management Information for TCP/IP-based Internets", STD 16,
1155, May 1990.

[4] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16,
RFC 1212, March 1991.

[5] Rose, M., "A Convention for Defining Traps for use with
SNMP", RFC 1215, March 1991.

[6] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose
M. and S. Waldbusser, "Structure of Management
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.

[7] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose
M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58,
RFC 2579, April 1999.

[8] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose
M. and S. Waldbusser, "Conformance Statements for SMIv2",
58, RFC 2580, April 1999.

[9] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "
Network Management Protocol", STD 15, RFC 1157, May 1990.

[10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser
"Introduction to Community-based SNMPv2", RFC 1901,
1996.

[11] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser
"Transport Mappings for Version 2 of the Simple
Management Protocol (SNMPv2)", RFC 1906, January 1996.

[12] Case, J., Harrington D., Presuhn R. and B. Wijnen, "
Processing and Dispatching for the Simple Network
Protocol (SNMP)", RFC 2572, April 1999.

[13] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM
for version 3 of the Simple Network Management
(SNMPv3)", RFC 2574, April 1999.

[14] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "
Operations for Version 2 of the Simple Network
Protocol (SNMPv2)", RFC 1905, January 1996.

[15] Levi, D., Meyer, P. and B. Stewart, "SNMPv3 Applications",
2573, April 1999.

Phaal, et al. Informational [Page 27]

RFC 3176 InMon Corporation's sFlow September 2001

[16] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based
Control Model (VACM) for the Simple Network Management
(SNMP)", RFC 2575, April 1999.

[17] Case, J., Mundy, R., Partain, D. and B. Stewart, "
to Version 3 of the Internet-standard Network
Framework", RFC 2570, April 1999.

[18] Waldbusser, S., "Remote Network Monitoring
Information Base", RFC 2819, May 2000.

[19] Waterman, R., Lahaye, B., Romascanu, D. and S. Waldbusser
"Remote Network Monitoring MIB Extensions for Switched
Version 1.0", RFC 2613, June 1999.

[20] Daniele, M., Haberman, B., Routhier, S. and J. Schoenwaelder
"Textual Conventions for Internet Network Addresses", RFC 2851,
June 2000.

[21] Brownlee, N., "Traffic Flow Measurement: Meter MIB", RFC 2720,
October 1999.

[22] Smith, A., Flick, J., de Graaf, K., Romanscanu, D., McMaster
D., McCloghrie, K. and S. Roberts, "Definition of
Objects for IEEE 802.3 Medium Attachment Units (MAUs)",
2668, August 1999.

[23] McCloghrie, K. and F. Kastenholz, "The Interfaces Group
using SMIv2", RFC 2233, November 1997.

[24] Flick, J. and J. Johnson, "Definition of Managed Objects
the Ethernet-like Interface Types", RFC 2358, June 1998.

[25] Case, J., "FDDI Management Information Base", RFC 1512,
September 1993.

[26] McCloghrie, K. and E. Decker, "IEEE 802.5 MIB using SMIv2",
1748, December 1994.

[27] Flick, J., "Definitions of Managed Objects for IEEE 802.12
Interfaces", RFC 2020, October 1996.

[28] Willis, S., Burruss, J. and J. Chu, "Definitions of
Objects for the Fourth Version of the Border Gateway
(BGP-4) using SMIv2", RFC 1657, July 1994.

Phaal, et al. Informational [Page 28]

RFC 3176 InMon Corporation's sFlow September 2001

7. Authors'

Peter
InMon
1404 Irving
San Francisco, CA 94122

Phone: (415) 661-6343
EMail: peter_phaal@INMON.

Sonia
InMon
1404 Irving
San Francisco, CA 94122

Phone: (415) 661-6343
EMail: sonia_panchen@INMON.

Neil
InMon
1404 Irving
San Francisco, CA 94122

Phone: (415) 661-6343
EMail: neil_mckee@INMON.

Phaal, et al. Informational [Page 29]

RFC 3176 InMon Corporation's sFlow September 2001

8. Intellectual Property

The IETF takes no position regarding the validity or scope of
intellectual property or other rights that might be claimed
pertain to the implementation or use of the technology described
this document or the extent to which any license under such
might or might not be available; neither does it represent that
has made any effort to identify any such rights. Information on
IETF's procedures with respect to rights in standards-track
standards-related documentation can be found in BCP-11. Copies
claims of rights made available for publication and any assurances
licenses to be made available, or the result of an attempt made
obtain a general license or permission for the use of
proprietary rights by implementors or users of this specification
be obtained from the IETF Secretariat

The IETF invites any interested party to bring to its attention
copyrights, patents or patent applications, or other
rights which may cover technology that may be required to
this standard. Please address the information to the IETF
Director

Phaal, et al. Informational [Page 30]

RFC 3176 InMon Corporation's sFlow September 2001

9. Full Copyright

Copyright (C) The Internet Society (2001). All Rights Reserved

This document and translations of it may be copied and furnished
others, and derivative works that comment on or otherwise explain
or assist in its implementation may be prepared, copied,
and distributed, in whole or in part, without restriction of
kind, provided that the above copyright notice and this paragraph
included on all such copies and derivative works. However,
document itself may not be modified in any way, such as by
the copyright notice or references to the Internet Society or
Internet organizations, except as needed for the purpose
developing Internet standards in which case the procedures
copyrights defined in the Internet Standards process must
followed, or as required to translate it into languages other
English

The limited permissions granted above are perpetual and will not
revoked by the Internet Society or its successors or assigns

This document and the information contained herein is provided on
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE

Funding for the RFC Editor function is currently provided by
Internet Society

Phaal, et al. Informational [Page 31]

if you see any problems within the linking, don't worry be happy,
this is version 0.1 of the Relevance System and you gotta expect some crappy subroutines sometimes,
just be content we did not write this in Java, which would have made this "bigger and better" HAHAHHA.

RFC documents can be found at I.E.T.F.

Relevance System Copyright © 2002 Spectrum WorldResearch
other technical nosh by ServerMasters Corporation
collaboration of BobX