sFlow and its Applications for Network Monitoring
What is sFlow?
sFlow is a multi-vendor packet sampling technology embedded within major network switches and routers. The basic function of sFlow is to continuously monitor application level traffic flows at wire speed on all distributed network interfaces (which support sFlow) simultaneously and in real time. It provides visibility into network usage, active routes and detection of certain network threats.
Components of sFlow:
sFlow basically consists of two elements – sFlow agent and sFlow collector.
sFlow agent: It is a software that is embedded in the NMS within a device (Network Switches or Routers) which combine interface counters and flow samples into sFlow datagrams that are sent across to a central sFlow collector. The state of the forwarding/routing table entries associated with the sample packet is also sent. sFlow agents are implemented in the Network Switch/Router ASIC’s which provide wire speed performance for the packet sampling.
sFlow collector: This is a specialized software which is contained in a central server that receive and analyse the sFlow data sent by the multiple sFlow agents. A single sFlow collector can monitor and present a consolidated view of a network of thousands of switches. The sFlow collector performs statistical analysis of sampled packets to provide a comprehensive network view encompassing both traffic analysis and basic level security.
Applications of sFlow technology:
¤ sFlow enables monitoring of link path attributes (Like VLAN, MPLS routes etc) which can answer questions like ‘Who is sending traffic in a specific VLAN’, ‘Is video traffic getting correct priority value’, ‘which links carry voice traffic’ etc.
¤ It allows to monitor network traffic to identify bottle necks for the flow of traffic for certain applications (like VOIP traffic, for example).
¤ sFlow enables to identify the sources of traffic congestion in the network like excessive broadcast traffic from a particular host or VLAN, IP multicast traffic etc, which can affect whole or part of a network.
¤ The traffic sampled during the switching and routing processes is integrated to build detailed real-time and historical traffic flows across the network.
¤ sFlow enables to measure packet loss/ jitter parameters to maintain quality of service (QoS).
¤ sFlow enables usage accounting. It helps identify the amount of network services utilized by individual hosts, groups or departments for accounting and billing purposes.
¤ It helps identify top ‘n’ traffic generating hosts, applications etc.
¤ sFlow can enable event frequency measurements for maintaining SLA.
¤ The network traffic profile can be identified over a number of parameters (For example, we can identify which host sent traffic through which protocol using which link, etc).
¤ Counter polling can be done using sFlow to track utilization of links in the network by periodically retrieving a set of counters for each interface of a managed switch (for example) to track link utilization, packet rates, errors, discards etc.
¤ Packet header, switching/routing info permits detailed analysis of L2-L7 traffic flows.
¤ sFlow data contains all the packet header information like host MAC address, TCP header flags and option fields, VLAN and MPLS tags, TTL values and some of the packet payloads which can be used for further analysis of vital network parameters.
¤ sFlow can help detect DOS, DDOS attacks, port scan, system infiltration and unauthorized usage.
¤ sFlow can aid in the identification of compromised/infected hosts in the network.
¤ It can also give information on the presence of unauthorized wireless access points/ routers in the network.
¤ Abnormal traffic patterns are visible with sufficient detail to enable rapid detection and identification of network problems.
¤ sFlow can also help identify user policy violations like the usage of P2P applications in the network, etc.
¤ sFlow can detect port scanning attacks (from worms, etc).
¤ sFlow can help identify Identity based exploits like failed log-in attempts, TCP hijacking etc, and it is also used to detect signature based attacks.
excITingIP.com
Related reading: Advantages and Dis-advantages of using sFlow for Network Monitoring.
In case you have any questions, you can contact us using the contact form or leave a comment below. You can also subscribe with your email address (on the right side of this site) to get intimated when a new article is published on this site.
Please consider Scrutinizer for sFlow Analysis and reporting:
http://www.plixer.com/products/netflow-sflow/free-netflow-scrutinizer.php