Overview
sFlow (sampled Flow) is an industry-standard network monitoring technology defined in RFC 3176. Unlike NetFlow which tracks every flow, sFlow uses statistical sampling to capture a representative subset of traffic, making it highly scalable for monitoring high-speed networks (10G, 40G, 100G+) with minimal impact on network device performance. sFlow operates by randomly sampling 1-in-N packets at the switch/router ASIC level and periodically polling interface counters, then exporting this data as UDP datagrams to a central collector.
sFlow is supported by over 30 network equipment vendors including Arista, Juniper, HP/Aruba, Dell, Mellanox, Cumulus, and many others, making it the most widely supported flow monitoring technology. It provides real-time visibility with sampling rates that can be adjusted to balance detail versus overhead. sFlow samples include full packet headers (up to 128 bytes by default), enabling deep analysis of protocols, applications, and security events. The sFlow ecosystem includes open-source collectors (sflowtool, sFlow-RT, pmacct), commercial platforms (InMon Traffic Sentinel, Kentik), and integration with tools like ntopng, Grafana, and Elasticsearch.
# Ubuntu/Debian
sudo apt update
sudo apt install sflowtool
# From source
git clone https://github.com/sflow/sflowtool.git
cd sflowtool
./boot.sh
./configure
make
sudo make install
# Verify
sflowtool -h
sFlow-RT (Real-Time Analytics)
# Download sFlow-RT
wget https://inmon.com/products/sFlow-RT/sflow-rt.tar.gz
tar xzf sflow-rt.tar.gz
cd sflow-rt
# Start sFlow-RT
./start.sh
# Or with Docker
docker run -d \
--name sflow-rt \
-p 6343:6343/udp \
-p 8008:8008 \
sflow/sflow-rt
Host sFlow Agent (hsflowd)
# Ubuntu/Debian
sudo apt install hsflowd
# CentOS/RHEL
sudo yum install hsflowd
# Configure and start
sudo systemctl start hsflowd
sudo systemctl enable hsflowd
Switch/Router Configuration
Arista EOS
! Configure sFlow
sflow run
sflow source-interface Loopback0
sflow destination 10.0.0.100
! Set sampling rate (1 in 2048)
sflow sample 2048
! Enable on specific interfaces
interface Ethernet1
sflow enable
! Per-interface sampling rate
interface Ethernet1
sflow sampling 4096
! Verify
show sflow
show sflow interfaces
Juniper JunOS
! Configure sFlow
set protocols sflow collector 10.0.0.100 udp-port 6343
set protocols sflow polling-interval 20
set protocols sflow sample-rate ingress 2048
set protocols sflow source-ip 10.0.0.1
! Enable on interfaces
set protocols sflow interfaces ge-0/0/0
set protocols sflow interfaces ge-0/0/1
! Verify
show sflow
show sflow collector
show sflow interface
Cumulus Linux
# /etc/cumulus/hsflowd.conf
sflow {
agent = eth0
polling = 20
sampling = 2048
collector {
ip = 10.0.0.100
udpport = 6343
}
}
# Restart service
sudo systemctl restart hsflowd
HP/Aruba
! Configure sFlow
sflow 1 destination 10.0.0.100 6343
sflow 1 polling all 20
sflow 1 sampling all 2048
! Enable sFlow
sflow 1 enable
! Verify
show sflow 1
show sflow 1 destination
Open vSwitch
# Configure sFlow on OVS
sudo ovs-vsctl -- --id=@s create sflow \
agent=eth0 \
target=\"10.0.0.100:6343\" \
sampling=2048 \
polling=20 \
-- set bridge br0 sflow=@s
# Verify
sudo ovs-vsctl list sflow
# Remove sFlow
sudo ovs-vsctl remove bridge br0 sflow $(sudo ovs-vsctl get bridge br0 sflow)
# Receive and display sFlow data
sflowtool -p 6343
# Output in line format
sflowtool -p 6343 -l
# Output as NetFlow v5 (convert sFlow to NetFlow)
sflowtool -p 6343 -c 127.0.0.1 -d 2055
# Output as pcap
sflowtool -p 6343 -r > output.pcap
# Output as tcpdump-like format
sflowtool -p 6343 -t
# Write to pcap file with rotation
sflowtool -p 6343 -r -f /var/log/sflow/capture
# Output specific fields
sflowtool -p 6343 -l | awk '{print $1, $2, $9, $10, $11}'
# Pipe to tcpdump for analysis
sflowtool -p 6343 -r | tcpdump -r - -n
# JSON output
sflowtool -p 6343 -J
| Field Position | Description |
|---|
| 1 | Agent IP address |
| 2 | Input interface index |
| 3 | Output interface index |
| 4 | Source MAC |
| 5 | Destination MAC |
| 6 | Ethernet type |
| 7 | Source VLAN |
| 8 | Source IP |
| 9 | Destination IP |
| 10 | IP protocol |
| 11 | IP ToS |
| 12 | Source port |
| 13 | Destination port |
| 14 | TCP flags |
| 15 | Packet size |
sFlow-RT Analytics
REST API
# Base URL: http://localhost:8008
# Get agents
curl http://localhost:8008/agents/json
# Get agent metrics
curl http://localhost:8008/metric/ALL/ifinoct/json
# Define a flow
curl -X PUT -H "Content-Type: application/json" \
-d '{"keys":"ipsource,ipdestination","value":"bytes"}' \
http://localhost:8008/flow/top-talkers/json
# Get flow results
curl http://localhost:8008/flow/top-talkers/json
# Define threshold alert
curl -X PUT -H "Content-Type: application/json" \
-d '{"metric":"top-talkers","value":1000000,"byFlow":true}' \
http://localhost:8008/threshold/high-traffic/json
# Get active thresholds
curl http://localhost:8008/threshold/json
# Get events (alerts)
curl http://localhost:8008/events/json
# Interface counters
curl http://localhost:8008/metric/ALL/ifinoct,ifoutoc/json
# Top N flows
curl "http://localhost:8008/flow/top-talkers/json?maxFlows=20"
sFlow-RT Applications
# Install sFlow-RT apps
cd sflow-rt/app
# Top Flows app
wget https://github.com/sflow-rt/top-flows/archive/master.tar.gz
tar xzf master.tar.gz
# DDoS Protect
wget https://github.com/sflow-rt/ddos-protect/archive/master.tar.gz
# Browse available apps
# http://localhost:8008/app/index.html
Host sFlow (hsflowd)
Configuration
# /etc/hsflowd.conf
sflow {
sampling = 512
polling = 30
agentIP = eth0
collector {
ip = 10.0.0.100
udpport = 6343
}
# Monitor Docker containers
docker { }
# Monitor KVM/libvirt VMs
kvm { }
# OS performance counters
os10 { }
# Application monitoring
app {
name = myapp
sampling = 100
}
}
# Restart after config changes
sudo systemctl restart hsflowd
# Check status
sudo systemctl status hsflowd
# View debug output
sudo hsflowd -d
Advanced Usage
Sampling Rate Selection
| Network Speed | Recommended Rate | Rationale |
|---|
| 100 Mbps | 1:256 | Small network, high detail |
| 1 Gbps | 1:1024 | Standard monitoring |
| 10 Gbps | 1:2048 | Balance detail and load |
| 40 Gbps | 1:4096 | High-speed links |
| 100 Gbps | 1:8192 | Very high-speed monitoring |
sFlow with Grafana
# Use sFlow-RT Prometheus exporter
# Start sFlow-RT with Prometheus app
cd sflow-rt
./start.sh -Dapp.prometheus=yes
# Prometheus scrape config
# prometheus.yml:
scrape_configs:
- job_name: 'sflow-rt'
static_configs:
- targets: ['localhost:8008']
metrics_path: '/prometheus/metrics'
# Create Grafana dashboards from sFlow metrics
Security Monitoring
# Detect DDoS using sFlow-RT
curl -X PUT -H "Content-Type: application/json" \
-d '{"keys":"ipdestination","value":"frames","filter":"direction=ingress"}' \
http://localhost:8008/flow/ddos-target/json
curl -X PUT -H "Content-Type: application/json" \
-d '{"metric":"ddos-target","value":10000,"byFlow":true,"timeout":5}' \
http://localhost:8008/threshold/ddos-detect/json
# Port scan detection
curl -X PUT -H "Content-Type: application/json" \
-d '{"keys":"ipsource","value":"unique:ipdestination.udpport","filter":"tcpflags=2"}' \
http://localhost:8008/flow/port-scan/json
Troubleshooting
| Issue | Solution |
|---|
| No sFlow data arriving | Check UDP/6343 open, verify switch config |
| Inaccurate traffic totals | Adjust sampling rate, check scaling factor |
| Missing protocols in samples | Increase header bytes captured (default 128) |
| High CPU on collector | Reduce polling frequency, increase sampling |
| Counter data but no samples | Verify sampling is enabled on interfaces |
| Agent address wrong | Set explicit source-ip on switch config |
| sFlow-RT not showing flows | Check flow definition, verify agent connection |
| Docker containers not monitored | Enable Docker module in hsflowd.conf |
Diagnostic Commands
# Verify sFlow packets arriving
sudo tcpdump -i eth0 -n udp port 6343 -c 10
# Decode sFlow packets
sflowtool -p 6343 | head -50
# Check sFlow-RT agents
curl http://localhost:8008/agents/json | python3 -m json.tool
# Verify hsflowd
sudo hsflowd -d # Debug mode
journalctl -u hsflowd -f
# Count samples per second
sflowtool -p 6343 -l | pv -l > /dev/null
