Real world sflow vs netflow?

Peter Phaal peter.phaal at
Mon Sep 24 14:39:26 UTC 2012

On Mon, Sep 24, 2012 at 5:48 AM, Joe Loiacono <jloiacon at> wrote:
> Peter Phaal <peter.phaal at> wrote on 09/23/2012 12:23:57 PM:
>> Exporting packet oriented measurements doesn't mean that you have to
>> loose ingress/egress interface data. In the specific example being
>> discussed (sFlow export), detailed forwarding information from the
>> router forwarding plane is exported with each sampled packet header
>> (full AS-path if you are using BGP).
> Wrt AS-path, I don't get how this happens. Since this is important to this
> community, could you explain?

Sure. I think it's worth discussing in some detail since this is
relevant to the NANOG community and it is important to understand how
it works.

When a switch/router decides to sample a packet it records the
ingress/egress interfaces and accumulates information about how it
decided to forward the packet by examining its FIB tables. Each packet
may take a different path, some may by switched at layer 2, others may
be forwarded based on a local routing protocol like OSPF, and still
others may be forwarded based on BGP.

The forwarding data associated with each packet is irregular (e.g. a
switched packet won't have BGP information), and so sFlow doesn't try
to flatten it into tables, but instead encodes the data using XDR (RFC
1832), expressing each element of the forwarding decision as a tag,
length, value encoded structure that contains attributes relevant to
each type of forwarding decision. The AS-Path itself is a fairly
complicated, variable length structure and again, this is encoded as

These are all optional fields in sFlow, so you should check with your
switch vendor to see which ones they support. If they don't currently
export the FIB data you are looking for, you should ask them to
upgrade their agent because as Jeroen pointed out, populating each
structure is just an extra lookup performed by the management CPU on
the router.

FYI I have see full AS-path data exported from a busy 100G router, so
there should be no problem collecting these measurements in a
production setting.

The following extract from the sFlow version 5 specification shows
what forwarding information is exported:

/* Extended Flow Data

   Extended data types provide supplimentary information about the
   sampled packet. All applicable extended flow records should be
   included with each flow sample. */

/* Extended Switch Data */
/* opaque = flow_data; enterprise = 0; format = 1001 */
/* Note: For untagged ingress ports, use the assigned vlan and priority
         of the port for the src_vlan and src_priority values.
         For untagged egress ports, use the values for dst_vlan and
         dst_priority that would have been placed in the 802.Q tag
         had the egress port been a tagged member of the VLAN instead
         of an untagged member. */

struct extended_switch {
   unsigned int src_vlan;     /* The 802.1Q VLAN id of incoming frame */
   unsigned int src_priority; /* The 802.1p priority of incoming frame */
   unsigned int dst_vlan;     /* The 802.1Q VLAN id of outgoing frame */
   unsigned int dst_priority; /* The 802.1p priority of outgoing frame */

/* IP Route Next Hop
   ipForwardNextHop (RFC 2096) for IPv4 routes.
   ipv6RouteNextHop (RFC 2465) for IPv6 routes. */

typedef next_hop address;

/* Extended Router Data */
/* opaque = flow_data; enterprise = 0; format = 1002 */

struct extended_router {
   next_hop nexthop;            /* IP address of next hop router */
   unsigned int src_mask_len;   /* Source address prefix mask
                                   (expressed as number of bits) */
   unsigned int dst_mask_len;   /* Destination address prefix mask
                                   (expressed as number of bits) */

enum as_path_segment_type {
   AS_SET      = 1,            /* Unordered set of ASs */
   AS_SEQUENCE = 2             /* Ordered set of ASs */

union as_path_type (as_path_segment_type) {
   case AS_SET:
      unsigned int as_set<>;
   case AS_SEQUENCE:
      unsigned int as_sequence<>;

/* Extended Gateway Data */
/* opaque = flow_data; enterprise = 0; format = 1003 */

struct extended_gateway {
   next_hop nexthop;           /* Address of the border router that should
                                  be used for the destination network */
   unsigned int as;            /* Autonomous system number of router */
   unsigned int src_as;        /* Autonomous system number of source */
   unsigned int src_peer_as;   /* Autonomous system number of source peer */
   as_path_type dst_as_path<>; /* Autonomous system path to the destination */
   unsigned int communities<>; /* Communities associated with this route */
   unsigned int localpref;     /* LocalPref associated with this route */

More information about the NANOG mailing list