• United States
by Sonia Panchen and Adam Stein, special to Network World

Proposed standard helps ease traffic burden

Sep 22, 20034 mins

SFlow lets administrators reliably and statistically measure their networks’ performance and traffic impact of all connected applications, users, servers, switches, routers and storage switches.

IT managers need visibility into the traffic flowing through their networks. Without this insight, they rely heavily on guesswork for performance problem resolution and capacity planning. Legacy measurement tools are also usually prohibitively expensive, lack scalability to today’s gigabit speeds, drain network hardware productivity, and increase software and hardware ownership costs.

A new IETF draft standard, RFC 3176, addresses all these limitations to traditional traffic monitoring and forensic network analysis through network packet sampling. The informational RFC also is marketed under the name “sFlow” by the industry trade organization

RFC 3176 lets administrators reliably and statistically measure their networks’ performance and traffic impact of all connected applications, users, servers, switches, routers and storage switches. SFlow monitors and proactively helps administrators adjust network traffic patterns in complex enterprise, metropolitan service provider and high-performance computing environments with thousands of nodes and significant bandwidth requirements.

Instead of deploying cost-prohibitive probes throughout the network, the sFlow agent is embedded in the network switch or router ASIC and samples the network traffic. The sFlow management information base controls the sFlow agent, which captures, formats and forwards the packet samples to a central RFC 3176 data collector creating a datagram. By statistically sampling network traffic, network administrators gain a system-wide view of the traffic, network security and application traffic sources throughout the network.

With typical data gathering, RFC 3176 doesn’t add significant network load, which is in contrast to software-based proprietary vendor approaches to traffic monitoring. The only sFlow packet sampling work done in software on the device is a few simple lookups, marshalling data into a datagram and queuing the datagram for transmission.

Datagram delivery

When a packet is sampled, its header is extracted and placed into an sFlow datagram or detailed map of the packet’s network journey, which includes header, I/O source, destination and interface statistics. This datagram then is sent immediately to the sFlow Collection Server, a central data collector and analyzer.

One collection server can gather datagrams from more than 20,000 switch ports, decoding the packet headers and other information to present detailed Layer 2 to Layer 7 usage statistics.

Because the datagram immediately is sent to the collection server, memory requirements are extremely small and bounded, meaning that complex memory management software is unnecessary. This lets the sampling standard be implemented in simple Layer 2 switches to high-end core routers without requiring additional memory or CPU.

A new view of the net

SFlow fundamentally changes network traffic management. Configuration and control decisions are driven from statistical, quantitative and detailed information on which applications and users are using the network and for what purpose. RFC 3176 also can help eliminate rogue traffic from entering the growing number of wireless access points or combine with FreeBSD intrusion-detection systems such as Snort to offer yet another level of traffic monitoring for keeping a network secure from edge to edge and not just in select areas.

In addition to root cause analysis, RFC 3176 is also useful for application capacity planning, viewing network-wide traffic patterns and even network security to determine past and present rogue traffic patterns. Such data gathering also provides excellent detail, including MAC layer statistics, for billing applications.

For more information about data gathering algorithms, go to, where you’ll find white papers and demonstrations of RFC 3176 illustrating traffic-monitoring and application-accounting implementations.

RFC 3176 is available in several leading vendors’ switches and routers, and there is a growing number of software applications that take advantage of sFlow’s traffic monitoring and network security enhancing capabilities.

Panchen is director of marketing at InMon, and Stein is director of corporate marketing at Foundry Networks. They can be reached at and