A little-known standard for real-time network monitoring is proving to be a valuable tool for some users of high-speed networks.
Although the IETF's sFlow draft standard has been available for years, few vendors have implemented it. But as network traffic speeds grow to gigabit and 10G in some corporations, sFlow will become a more important technology for tracking network performance and providing network security, experts and users say.
SFlow, which the IETF approved as a draft standard in 2001, is a technology that uses random sampling of LAN and WAN data packet flows across an entire network to give users a detailed, real-time view of network traffic performance, trends and problems, according to Foundry Networks and HP. Both offer sFlow-based switches.
Typically, network monitoring is accomplished by putting a network probe device - such as a PC running probe software or an appliance - onto a segment of a network to collect data. The probe is often plugged into a mirrored port on a LAN switch - a port configured to duplicate traffic from another port on the switch. The probe will be able to collect traffic data only from the mirrored port.
SFlow is deployed through network management information bases (MIB) - either hardware-based or software-based agents - running on the actual switches and routers in a network. This allows for a broader picture of network performance, sFlow backers say; monitoring happens on every port of every sFlow-enabled switch, rather than on just the port or segment a probe is attached to. Proponents of sFlow say the technology allows for more widespread network monitoring because mirroring every port would be burdensome for both network staff and LAN bandwidth - half a switch would have to be dedicated to port mirroring to achieve this.
Instead of capturing and logging every packet on a switch or router port, sFlow MIBs take random samples of packets traveling through ports. These samples, called sFlow datagrams, are forwarded to an sFlow collection server on a network. On this box, the datagrams are run through an algorithm that generates a complete model of network traffic based on the sampled data.
The technology behind sFlow was developed jointly by engineers at InMon, a maker of switch-monitoring software, and developers at HP and Foundry Networks. Vendors that incorporate sFlow technology in their LAN switches include HP, Foundry and Extreme Networks. Software support for sFlow is included in products such as HP OpenView, NetScout's nGenius Performance Manager and InMon Traffic Server.
At The Moffit Cancer Center in in Tampa, Fla., Foundry switches with sFlow are used to measure network performance and as a security tool.
"SFlow gives us real-time [network] statistics," on every port in the network, says David Bratt, senior technical architect at the center.
"The level of detail on traffic patterns is excellent, right down to the protocol and port level," Bratt says. "If you have someone doing something wrong on the network, you can track them down right to where their PCs is plugged in," he says.
Vince Rooney, IT manager of Kingdon Capital Management, a small New York-based hedge fund that runs a large network with 15 Foundry BigIron 15000 switches, also plans to use sFlow.
"We have a lot of real-time data going through our network," Rooney says. This traffic consists mostly of trade executions that average about $10 million per trade. He says that he expects sFlow to give him a better overview of network performance.
"Right now, I use a Web-based console on the switches," he says. "Being able to look at more packets and protocol-specific information will be more advantageous to me. It will let me get a little more detail than I would normally."
In addition to providing real-time snapshots of network performance, sFlow can be used as a network security tool, some experts say.
An example is in the detection of unauthorized network devices acting as network address translation (NAT) boxes. This could include a commodity NAT-enabled wireless router, says Peter Phaal, an author of the sFlow draft standard and an engineer at InMon. While NAT devices attached to a network might appear as legitimate end nodes, these could serve as backdoors, allowing access to unauthorized connections, from wired or wireless users.
Because sFlow samples traffic from every port in a network, sFlow data analyzers can identify nodes that are acting as NAT devices on a network by comparing subnet data among switches and NAT devices.