sflow Why You Should Use It And Like It NANOG 39 February 04-07, 2007



Similar documents
Network traffic monitoring and management. Sonia Panchen 11 th November 2010

The Value of Flow Data for Peering Decisions

Network congestion control using NetFlow

Introduction to Netflow

NetFlow: What is it, why and how to use it? Miloš Zeković, ICmyNet Chief Customer Officer Soneco d.o.o.

Traffic Monitoring using sflow

Scalable Extraction, Aggregation, and Response to Network Intelligence

AlliedWare Plus OS How To Use sflow in a Network

Network Monitoring and Management NetFlow Overview

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

Traffic monitoring with sflow and ProCurve Manager Plus

NetFlow-Lite offers network administrators and engineers the following capabilities:

Netflow Overview. PacNOG 6 Nadi, Fiji

Flow Based Traffic Analysis

MONITORING NETWORK TRAFFIC USING sflow TECHNOLOGY ON EX SERIES ETHERNET SWITCHES

Lecture 12: Network Management Architecture

Cisco IOS Flexible NetFlow Technology

The use of SNMP and other network management tools in UNINETT. Arne Øslebø March 4, 2014

Monitoring Network Traffic Using sflow Technology on EX Series Ethernet Switches

IPv6 network management. Where and when?

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

Traffic analysis with NetFlow

Cisco IOS NetFlow Version 9 Flow-Record Format

Beyond Monitoring Root-Cause Analysis

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

and reporting Slavko Gajin

TE in action. Some problems that TE tries to solve. Concept of Traffic Engineering (TE)

IPv6 network management. 6DEPLOY. IPv6 Deployment and Support

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

Networking Fundamentals Part of the SolarWinds IT Management Educational Series

Network Management & Monitoring

Scrutinizer. Getting Started Guide. A message from Plixer International:

Appendix A Remote Network Monitoring

From NetFlow to IPFIX the evolution of IP flow information export

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

Beyond Monitoring Root-Cause Analysis

Comprehensive IP Traffic Monitoring with FTAS System

Panel 2 Self Management: Separating Facts from Fiction

Flow Analysis Versus Packet Analysis. What Should You Choose?

Monitoring high-speed networks using ntop. Luca Deri

Lab Characterizing Network Applications

Open Source in Network Administration: the ntop Project

Brocade sflow for Network Traffic Monitoring

PANDORA FMS NETWORK DEVICE MONITORING

Traffic Monitoring in a Switched Environment

Overview. Why use netflow? What is a flow? Deploying Netflow Performance Impact

AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Get Your FIX: Flow Information export Analysis and Visualization

Agenda. sflow intro. sflow architecture. sflow config example. Summary

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

NetFlow/IPFIX Various Thoughts

TELE9752 Network Operations and Control Week 10p: Performance

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Cisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004

PANDORA FMS NETWORK DEVICES MONITORING

IP Accounting C H A P T E R

Whitepaper. NetFlow vs. sflow: A Technical Review. plixer. International

IPv6 network management

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

NetFlow The De Facto Standard for Traffic Analytics

NetFlow v9 Export Format

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

TUTORIAL SNMP: STATUS AND APPLICATION FOR LAN/MAN MANAGEMENT. Aiko Pras

Unified network traffic monitoring for physical and VMware environments

A message from Plixer International:

How To Manage Ipv6 Networks On A Network With Ipvv6 (Ipv6) On A Pc Or Ipv4 (Ip6) (Ip V6) Or Ip V6 ( Ipv5) ( Ip V5

Enhancing Flow Based Network Monitoring

SonicOS 5.8: NetFlow Reporting

SolarWinds Certified Professional. Exam Preparation Guide

How to configure an Advanced Expert Probe as NetFlow Collector

Introduction to Cisco IOS Flexible NetFlow

Enterprise QoS. Tim Chung Google Corporate Netops Architecture Nanog 49 June 15th, 2010

Study of Network Performance Monitoring Tools-SNMP

Open Source VoIP Traffic Monitoring

UltraFlow -Cisco Netflow tools-

Practical Experience with IPFIX Flow Collectors

How To Mirror On An Ipfix On An Rspan Vlan On A Pc Or Mac Or Ipfix (Networking) On A Network On A Pnet (Netnet) On An Uniden (Netlan

Research on Errors of Utilized Bandwidth Measured by NetFlow

CAREN NOC MONITORING AND SECURITY

Flow Monitor for WhatsUp Gold v16.1 User Guide

Network Measurement. Why Measure the Network? Types of Measurement. Traffic Measurement. Packet Monitoring. Monitoring a LAN Link. ScienLfic discovery

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Network Traffic Analyzer

NetFlow Performance Analysis

Peering in Hong Kong. Che-Hoo CHENG CUHK/HKIX

NFQL: A Tool for Querying Network Flow Records [6]

Gaining Operational Efficiencies with the Enterasys S-Series

Network Management. Jaakko Kotimäki. Department of Computer Science Aalto University, School of Science. 21. maaliskuuta 2016

The ntop Project: Open Source Network Monitoring

How To Understand Network Performance Monitoring And Performance Monitoring Tools

An overview of traffic analysis using NetFlow

Transcription:

sflow Why You Should Use It And Like It NANOG 39 February 04-07, 2007 Richard A. Steenbergen nlayer Communications, Inc. <ras@nlayer.net>

What is sflow? sflow is a standards based protocol for exporting information about packets traveling through a router or switch, for the purpose of external data analysis. Designed by InMon Corporation in 2001. Defined (mostly) by RFC 3176. Recent versions have not been published as RFCs. Designed to be extremely flexible and extensible. Intended to replace/enhance older similar technologies: RMON NetFlow Supported by a variety of prominent network gear vendors Foundry, Extreme, Force10, etc. Notably missing: Cisco, Juniper. February XX, 2007 sflow Page 2

A Quick Recap Why Use Any *Flow? External analysis of traffic provides useful info: Protocol, port, and application statistics. DoS tracking and other security monitoring. Traffic analysis for capacity planning. Analysis of traffic over public exchange points. Implementing alternative billing methods. Layer 2 analysis can also be used by public exchange point operators to provide peer to peer traffic analysis. Several major exchange points use sflow for this today Equinix, LINX, AMS-IX, probably others. February XX, 2007 sflow Page 3

The History of Flow Export Most popular flow export protocol is NetFlow Developed by Cisco in 1996. Extended several times with new versions/features. Latest version is v9, released in 2004. sflow released in 2001 as an alternative to v5/v8. February XX, 2007 sflow Page 4

So Many Packets, So Little Time With the growth of IP traffic, it is simply not practical to look at every packet for analysis. Scaling flow export protocols to work with modern highspeed networks can be done with data consolidation. Sampling Only looking at every Nth packet, ex: 1 per 1000 pkts Original data rates can be recreated by multiplication. Reduces amount of data exported and work collecting data. Aggregation Combining multiple flow records into a single flow record with less specific information, based on a mask. Reduces data export, but increases work to collect data. For efficiency, sampling is usually the winner. February XX, 2007 sflow Page 5

The Problems With NetFlow Functions as a true flow-based system Two packets belonging to the same flow must be counted in the same record, which means state must be maintained on the router before data is exported. Flow state memory is frequently subject to resource exhaustion in core networks with many flows. Sampling is an afterthought, suffers accordingly Sample rate is not communicated via the protocol. Only one sample rate can be applied for the entire device, and this rate must be configured out of band. Support for all versions/features is often sporadic. Until v9, unable to export Layer 2 information. February XX, 2007 sflow Page 6

The Features of sflow Designed for high-speed sampling support Not actually flow-based at all, which means no flow state is maintained on the router/switch. Sample rate is communicated in-band with the packet. Different sample rates can be configured on the same host, ex: a lower rate for a 10GE card vs a 100M card. Support for flexible message formats Currently 23 types of data-bearing message formats Support for Layer 2 information export Support for MPLS and BGP route info export Support for sampling the complete first 128 bytes Support for push-based counter export February XX, 2007 sflow Page 7

More on sflow Counter Export In addition to ordinary sample data, sflow also defines support for push-based counter export. This includes data normally polled via SNMP, such as: IfIndex, iftype, ifspeed, ifstatus, ifinoctets, ifinucastpkts, ifinmulticastpkts, ifinbroadcastpkts, ifindiscards, ifinerrors, etc It turns out to be a very efficient SNMP alternative Eliminates the query portion of the process for data which you know you will always need at set intervals anyways. Eliminates the overhead of SNMP and ASN.1 encoding. This allows interfaces to be easily graphed with very high resolutions, 10-30 seconds instead of 5 minutes. Reveals very interesting traffic patterns. Can be very helpful in quickly reacting to DoS or other events. Doesn't require complex poller code or hurt your router CPU. February XX, 2007 sflow Page 8

The Problems With sflow Mostly protocol-based issues Absolutely mind-boggling header format! Extremely wasteful encoding one minute Using a 32 bit integer for values which will always be 0 4. Unnecessary complexity trying to save space the next minute Separate compact message formats which attempt to encode an unrelated 8 bit value onto the end of a field which legitimately uses a 32 bit value, if the value only uses the first 24 bits of space. Complete lack of proper TLV encoding A parser must understand *every* part of every message or it will become desynchronized within the packet. A parser can not skip over sections it does not care about, potentially leading to reduced efficiency. Fortunately these issues mostly annoy the developers, not the end users. February XX, 2007 sflow Page 9

NetFlow Fights Back V9 and IPFIX Recognizing the advantages of new features introduced by sflow, NetFlow v9 was created. Adds Flexible Fields (comparable to sflow formats) Adds Layer 2 information export capabilities Adds MPLS and BGP information export capabilities Many other major enhancements over old versions NetFlow v9 also serves as the basis for IPFIX, an IETF standardized flow export protocol. Roughly matches most sflow features. The problems: Limited commercial support, currently just Cisco. Doesn't replicate sflow push-based counters. February XX, 2007 sflow Page 10

Using sflow Many resources at http://www.sflow.org/ Free Reference Collector by InMon: http://www.inmon.com/technology/sflowtools.php sflow Protocol Specifications http://www.sflow.org/developers/specifications.php A tool developed by AMS-IX http://inserturlhere A few more items here February XX, 2007 sflow Page 11

Some even cooler tools, honest! Coinciding with this presentation, the public release of my high-speed C library, libsflow: http://libsflow.sourceforge.net/ Advantages: Extremely efficient, handles millions of samples/sec. Portable C library released under BSD license. Also comes with reference implementations: A Layer 2 MAC-to-MAC traffic analysis tool. A SNMP-alternative sflow Counter analysis tool. February XX, 2007 sflow Page 12

Thank You Name Richard Steenbergen E-mail Addresses ras@nlayer.net

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information