Network Working Group                                           P. Phaal
Request for Comments: 3176                                    S. Panchen
Category: Informational                                         N. McKee
                                                             InMon Corp.
                                                          September 2001
     InMon Corporation's sFlow: A Method for Monitoring Traffic in
                      Switched and Routed Networks

Status of this Memo


This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.


Copyright Notice


Copyright (C) The Internet Society (2001). All Rights Reserved.




This memo defines InMon Coporation's sFlow system. sFlow is a technology for monitoring traffic in data networks containing switches and routers. In particular, it defines the sampling mechanisms implemented in an sFlow Agent for monitoring traffic, the sFlow MIB for controlling the sFlow Agent, and the format of sample data used by the sFlow Agent when forwarding data to a central data collector.

このメモは米国InMon COPORATIONのsFlowのシステムを定義します。 sFlowのは、スイッチやルータを含むデータネットワークのトラフィックを監視するための技術です。特に、トラフィックを監視するためのsFlowエージェントに実装されたサンプリング機構、sFlowエージェントを制御するためのsFlow MIB、および中央データ収集装置にデータを転送するときsFlowエージェントによって使用されるサンプル・データのフォーマットを定義します。

Table of Contents


   1.  Overview .....................................................  2
   2.  Sampling Mechanisms ..........................................  2
       2.1 Sampling of Switched Flows ...............................  3
           2.1.1 Distributed Switching ..............................  4
           2.1.2 Random Number Generation ...........................  4
       2.2 Sampling of Network Interface Statistics .................  4
   3.  sFlow MIB ....................................................  5
       3.1 The SNMP Management Framework ............................  5
       3.2 Definitions ..............................................  6
   4.  sFlow Datagram Format ........................................ 14
   5.  Security Considerations ...................................... 25
       5.1 Control .................................................. 26
       5.2 Transport ................................................ 26
       5.3 Confidentiality .......................................... 26
   6.  References ................................................... 27
   7.  Authors' Addresses ........................................... 29
   8.  Intellectual Property Statement .............................. 30
   9.  Full Copyright Statement ..................................... 31
1. Overview

sFlow is a technology for monitoring traffic in data networks containing switches and routers. In particular, it defines the sampling mechanisms implemented in an sFlow Agent for monitoring traffic, the sFlow MIB for controlling the sFlow Agent, and the format of sample data used by the sFlow Agent when forwarding data to a central data collector.

sFlowのは、スイッチやルータを含むデータネットワークのトラフィックを監視するための技術です。特に、トラフィックを監視するためのsFlowエージェントに実装されたサンプリング機構、sFlowエージェントを制御するためのsFlow MIB、および中央データ収集装置にデータを転送するときsFlowエージェントによって使用されるサンプル・データのフォーマットを定義します。

The architecture and sampling techniques used in the sFlow monitoring system are designed to provide continuous site-wide (and network-wide) traffic monitoring for high speed switched and routed networks.


The design specifically addresses issues associated with:


o Accurately monitoring network traffic at Gigabit speeds and higher.


o Scaling to manage tens of thousands of agents from a single point.


o Extremely low cost agent implementation.


The sFlow monitoring system consists of an sFlow Agent (embedded in a switch or router or in a stand alone probe) and a central data collector, or sFlow Analyzer.


The sFlow Agent uses sampling technology to capture traffic statistics from the device it is monitoring. sFlow Datagrams are used to immediately forward the sampled traffic statistics to an sFlow Analyzer for analysis.

sFlowエージェントは、それが監視しているデバイスからのトラフィックの統計情報をキャプチャするサンプリング技術を使用しています。 sFlowのデータグラムをすぐに分析するためのsFlowアナライザにサンプリングされたトラフィックの統計情報を転送するために使用されています。

This document describes the sampling mechanisms used by the sFlow Agent, the SFLOW MIB used by the sFlow Analyzer to control the sFlow Agent, and the sFlow Datagram Format used by the sFlow Agent to send traffic data to the sFlow Analyzer.

この文書では、sFlowのアナライザにトラフィックデータを送信するためにsFlowエージェント、sFlowエージェントを制御するためのsFlowアナライザが使用するSFLOW MIB、およびsFlowエージェントによって使用されるのsFlowデータグラムフォーマットで使用されるサンプリングメカニズムについて説明します。

2. Sampling Mechanisms

The sFlow Agent uses two forms of sampling: statistical packet-based sampling of switched flows, and time-based sampling of network interface statistics.


2.1 Sampling of Switched Flows

A flow is defined as all the packets that are received on one interface, enter the Switching/Routing Module and are sent to another interface. In the case of a one-armed router, the source and destination interface could be the same. In the case of a broadcast or multicast packet there may be multiple destination interfaces. The sampling mechanism must ensure that any packet involved in a flow has an equal chance of being sampled, irrespective of the flow to which it belongs.


Sampling flows is accomplished as follows: When a packet arrives on an interface, a filtering decision is made that determines whether the packet should be dropped. If the packet is not filtered a destination interface is assigned by the switching/routing function. At this point a decision is made on whether or not to sample the packet. The mechanism involves a counter that is decremented with each packet. When the counter reaches zero a sample is taken. Whether or not a sample is taken, the counter Total_Packets is incremented. Total_Packets is a count of all the packets that could have been sampled.

パケットがインターフェイスに到着すると、フィルタリングの決定は、パケットが廃棄されるべきか否かを判断することなされる:サンプリングは以下のように実現されて流れます。パケットがフィルタリングされていない場合、宛先インタフェースは、スイッチング/ルーティング機能によって割り当てられます。この時点で、決定は、パケットをサンプリングするかどうかで行われます。機構は、各パケットにデクリメントされるカウンタを含みます。カウンタがゼロに達したときにサンプルが取られます。サンプルが取られているかどうかにかかわらず、カウンターTotal_Packetsがインクリメントされます。 Total_Packetsは、サンプリングされている可能性がすべてのパケットの数です。

Taking a sample involves either copying the packet's header, or extracting features from the packet (see sFlow Datagram Format for a description of the different forms of sample). Every time a sample is taken, the counter Total_Samples, is incremented. Total_Samples is a count of the number of samples generated. Samples are sent by the sampling entity to the sFlow Agent for processing. The sample includes the packet information, and the values of the Total_Packets and Total_Samples counters.

サンプルを採取する(試料の異なる形態の説明のためのsFlowデータグラムのフォーマットを参照)パケットのヘッダをコピーし、またはパケットから特徴を抽出するのいずれかを含みます。サンプルが取られるたびに、カウンタTotal_Samplesは、インクリメントされます。 Total_Samplesは、生成されたサンプル数のカウントです。サンプルは、処理のためにsFlowエージェントにサンプリングエンティティによって送信されます。サンプルは、パケット情報、およびTotal_PacketsとTotal_Samplesカウンタの値を含みます。

When a sample is taken, the counter indicating how many packets to skip before taking the next sample should be reset. The value of the counter should be set to a random integer where the sequence of random integers used over time should be such that


(1) Total_Packets/Total_Samples = Rate

(1)Total_Packets / Total_Samples =レート

An alternative strategy for packet sampling is to generate a random number for each packet, compare the random number to a preset threshold and take a sample whenever the random number is smaller than the threshold value. Calculation of an appropriate threshold value depends on the characteristics of the random number generator, however, the resulting sample stream must still satisfy (1).


2.1.1 Distributed Switching

The SFLOW MIB permits separate sampling entities to be associated with different physical or logical elements of the switch (such as interfaces, backplanes or VLANs). Each sampling engine has its own independent state (i.e., Total_Packets, Total_Samples, Skip and Rate), and forwards its own sample messages to the sFlow Agent. The sFlow Agent is responsible for packaging the samples into datagrams for transmission to an sFlow Analyzer.

SFLOW MIBは、(インターフェース、バックプレーンまたはVLANなど)スイッチの異なる物理的または論理的要素に関連する別のサンプリング・エンティティを可能にします。各サンプリングエンジンは、独自の独立した状態(すなわち、Total_Packets、Total_Samples、スキップやレート)を有し、sFlowエージェントに独自のサンプルメッセージを転送します。 sFlowエージェントは、sFlowのアナライザに伝送するためのデータグラムにサンプルをパッケージングするための責任があります。

2.1.2 Random Number Generation

The essential property of the random number generator is that the mean value of the numbers it generates converges to the required sampling rate.


A uniform distribution random number generator is very effective. The range of skip counts (the variance) does not significantly affect results; variation of +-10% of the mean value is sufficient.


The random number generator must ensure that all numbers in the range between its maximum and minimum values of the distribution are possible; a random number generator only capable of generating even numbers, or numbers with any common divisor is unsuitable.


A new skip value is only required every time a sample is taken.


2.2 Sampling of Network Interface Statistics

The objective of the counter sampling is to efficiently, periodically poll each data source on the device and extract key statistics.


For efficiency and scalability reasons, the sFlow System implements counter polling in the sFlow Agent. A maximum polling interval is assigned to the agent, but the agent is free to schedule polling in order maximize internal efficiency.


Flow sampling and counter sampling are designed as part of an integrated system. Both types of samples are combined in sFlow Datagrams. Since flow sampling will cause a steady, but random, stream of datagrams to be sent to the sFlow Analyzer, counter samples may be taken opportunistically in order to fill these datagrams.


One strategy for counter sampling has the sFlow Agent keep a list of counter sources being sampled. When a flow sample is generated the sFlow Agent examines the list and adds counters to the sample datagram, least recently sampled first. Counters are only added to the datagram if the sources are within a short period, 5 seconds say, of failing to meet the required sampling interval (see sFlowCounterSamplingInterval in SFLOW MIB). Whenever a counter source's statistics are added to a sample datagram, the time the counter source was last sampled is updated and the counter source is placed at the end of the list. Periodically, say every second, the sFlow Agent examines the list of counter sources and sends any counters that need to be sent to meet the sampling interval requirement.

カウンターサンプリングのための1つの戦略は、sFlowエージェントがサンプリングされるカウンタソースのリストを維持しています。フローサンプルが生成されるとsFlowエージェントはリストを調べて、最近最も最初にサンプリングされ、サンプルデータグラムにカウンタを追加します。ソースは短い期間内であればカウンターだけのデータグラムに追加され、5秒が必要なサンプリング間隔を(SFLOW MIBでsFlowCounterSamplingIntervalを参照)を満たしていないの、と言います。カウンタソースの統計がサンプルデータグラムに追加されたときはいつでも、カウンタソースが最後にサンプリングされた時刻が更新され、カウンタのソースがリストの最後に置かれています。定期的に、毎秒言う、sFlowエージェントは、カウンタソースのリストを調べて、サンプリング間隔の要件を満たすために送信する必要が任意のカウンタを送信します。

Alternatively, if the agent regularly schedules counter sampling, then it should schedule each counter source at a different start time (preferably randomly) so that counter sampling is not synchronized within an agent or between agents.


3. sFlow MIB
3.のsFlow MIB

The sFlow MIB defines a control interface for an sFlow Agent. This interface provides a standard mechanism for remotely controlling and configuring an sFlow Agent.

sFlow MIBは、sFlowエージェントの制御インタフェースを定義します。このインタフェースは、リモートでsFlowエージェントを制御および設定するための標準的なメカニズムを提供します。

3.1 The SNMP Management Framework
3.1 SNMP管理フレームワーク

The SNMP Management Framework presently consists of five major components:

SNMP Management Frameworkは現在、5つの主要コンポーネントから構成されています。

o An overall architecture, described in RFC 2571 [2].

RFC 2571に記載され、全体的なアーキテクチャ、O [2]。

o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in STD 16,

管理の目的のためにオブジェクトとイベントを記述し、命名するためのメカニズムO。管理情報(SMI)のこの構造体の最初のバージョンは、でSMIv1と呼ばれ、STD 16に記載されています

RFC 1155 [3], STD 16, RFC 1212 [4] and RFC 1215 [5]. The second version, called SMIv2, is described in STD 58, RFC 2578 [6], STD 58, RFC 2579 [7] and STD 58, RFC 2580 [8].

RFC 1155 [3]は、STD 16、RFC 1212 [4]及びRFC 1215 [5]。 SMIv2のと呼ばれる第二のバージョン、STD 58、RFC 2578に記載されている[6]、STD 58、RFC 2579 [7]とSTD 58、RFC 2580 [8]。

o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in STD 15, RFC 1157 [9]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [10] and RFC 1906 [11]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [11], RFC 2572 [12] and RFC 2574 [13].

管理情報を転送するためのOメッセージプロトコル。 SNMPメッセージプロトコルの最初のバージョンは、[9]のSNMPv1と呼ばれ、STD 15、RFC 1157に記載されています。インターネット標準トラックプロトコルでないSNMPメッセージプロトコルの第2のバージョンは、SNMPv2cのと呼ばれ、RFC 1901 [10]およびRFC 1906 [11]に記載されています。メッセージプロトコルの第三のバージョンのSNMPv3と呼ばれ、RFC 1906年に記載されている[11]、RFC 2572 [12]およびRFC 2574 [13]。

o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in STD 15, RFC 1157 [9]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [14].

管理情報にアクセスするためのOプロトコル操作。プロトコル操作と関連PDU形式の第一セットは、STD 15、RFC 1157に記載されている[9]。プロトコル操作と関連PDU形式の第2のセットは、RFC 1905 [14]に記載されています。

o A set of fundamental applications described in RFC 2573 [15] and the view-based access control mechanism described in RFC 2575 [16].

O RFC 2573 [15]とビューベースアクセス制御メカニズムに記載の基本的なアプリケーションのセットは、RFC 2575 [16]に記載します。

A more detailed introduction to the current SNMP Management Framework can be found in RFC 2570 [17].

現在のSNMP Management Frameworkへの、より詳細な紹介は、RFC 2570 [17]に記載されています。

Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI.

管理対象オブジェクトが仮想情報店を介してアクセスされ、管理情報ベースまたはMIBと呼ばれます。 MIBのオブジェクトは、SMIで定義されたメカニズムを使用して定義されています。

This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB.

このメモはSMIv2に対応であるMIBモジュールを指定します。 SMIv1に従うMIBは、適切な翻訳を介して製造することができます。得られた翻訳されたMIBには翻訳(Counter64のの使用)が可能ではないので、オブジェクトまたはイベントが省略されている場合を除いて、意味的に等価でなければなりません。 SMIv2のいくつかの機械読み取り可能な情報には、翻訳プロセスの間、SMIv1の原文の記述に変換されます。しかし、機械読み取り可能な情報のこの損失がMIBの意味論を変えると考えられません。

3.2 Definitions






sFlowMIBのMODULE-IDENTITY LAST-UPDATED "200105150000Z" - 2001年5月15日ORGANIZATION "米国InMon社"連絡先情報

         "Peter Phaal
          InMon Corp.


Tel: +1-415-661-6343 Email:" DESCRIPTION "The MIB module for managing the generation and transportation of sFlow data records."

電話:+ 1-415-661-6343 Eメール」DESCRIPTION 『のsFlowデータレコードの生成と輸送を管理するためのMIBモジュール』。

-- -- Revision History -- REVISION "200105150000Z" -- May 15, 2001 DESCRIPTION "Version 1.2

- - 改訂履歴 - REVISION "200105150000Z" - 2001年5月15日DESCRIPTION「バージョン1.2

Brings MIB into SMI v2 compliance."

SMI v2の遵守にMIBをもたらします。」

REVISION "200105010000Z" -- May 1, 2001 DESCRIPTION "Version 1.1

REVISION "200105010000Z" - 2001年5月1日DESCRIPTION「バージョン1.1

            Adds sFlowDatagramVersion."
  ::= { enterprises 4300 1 }
sFlowAgent OBJECT IDENTIFIER ::= { sFlowMIB 1 }

sFlowVersion OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Uniquely identifies the version and implementation of this MIB. The version string must have the following structure: <MIB Version>;<Organization>;<Software Revision> where: <MIB Version> must be '1.2', the version of this MIB. <Organization> the name of the organization responsible for the agent implementation. <Revision> the specific software build of this agent.

sFlowVersionのOBJECT-TYPE SYNTAXれるSnmpAdminString MAX-ACCESS read-onlyステータス現在の説明は「ユニークなこのMIBのバージョンと実装を特定バージョン文字列は、次のような構造を持っている必要があります。<MIBバージョン>。<組織>、<ソフトウェアリビジョン>ここで、 <MIBバージョン>「1.2」、このMIBのバージョンである必要があります。<組織>エージェント実装を担当する組織の名前。<リビジョン>このエージェントの特定のソフトウェアのビルド。

        As an example, the string '1.2;InMon Corp.;2.1.1' indicates
        that this agent implements version '1.2' of the SFLOW MIB, that
        it was developed by 'InMon Corp.' and that the software build
        is '2.1.1'.

The MIB Version will change with each revision of the SFLOW




Management entities must check the MIB Version and not attempt to manage agents with MIB Versions greater than that for which they were designed.


        Note: The sFlow Datagram Format has an independent version
              number which may change independently from <MIB Version>.
              <MIB Version> applies to the structure and semantics of
              the SFLOW MIB only."
     DEFVAL { "1.2;;" }
     ::= { sFlowAgent 1 }
sFlowAgentAddressType OBJECT-TYPE
     SYNTAX      InetAddressType
     MAX-ACCESS  read-only
     STATUS      current
       "The address type of the address associated with this agent.
        Only ipv4 and ipv6 types are supported."
     ::= { sFlowAgent 2 }
sFlowAgentAddress OBJECT-TYPE
     SYNTAX      InetAddress
     MAX-ACCESS  read-only
     STATUS      current
       "The IP address associated with this agent.  In the case of a
        multi-homed agent, this should be the loopback address of the
        agent.  The sFlowAgent address must provide SNMP connectivity
        to the agent.  The address should be an invariant that does not
        change as interfaces are reconfigured, enabled, disabled,
        added or removed.  A manager should be able to use the
        sFlowAgentAddress as a unique key that will identify this
        agent over extended periods of time so that a history can
        be maintained."
    ::= { sFlowAgent 3 }
     SYNTAX      SEQUENCE OF SFlowEntry
     MAX-ACCESS  not-accessible
     STATUS      current
       "A table of the sFlow samplers within a device."
     ::= { sFlowAgent 4 }



     MAX-ACCESS  not-accessible
     STATUS      current
       "Attributes of an sFlow sampler."
     INDEX { sFlowDataSource }
     ::= { sFlowTable 1 }
SFlowEntry ::= SEQUENCE {
     sFlowDataSource               OBJECT IDENTIFIER,
     sFlowOwner                    OwnerString,
     sFlowTimeout                  Integer32,
     sFlowPacketSamplingRate       Integer32,
     sFlowCounterSamplingInterval  Integer32,
     sFlowMaximumHeaderSize        Integer32,
     sFlowMaximumDatagramSize      Integer32,
     sFlowCollectorAddressType     InetAddressType,
     sFlowCollectorAddress         InetAddress,
     sFlowCollectorPort            Integer32,
     sFlowDatagramVersion          Integer32

sFlowDataSource OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "Identifies the source of the data for the sFlow sampler. The following data source types are currently defined:

sFlowDataSource OBJECT-TYPE構文オブジェクト識別子MAX-ACCESS read-onlyステータス現在の説明は「のsFlowサンプラー用のデータのソースを識別し、次のデータ・ソース・タイプは、現在定義されています:

       - ifIndex.<I>
       DataSources of this traditional form are called 'port-based'.
       Ideally the sampling entity will perform sampling on all flows
       originating from or destined to the specified interface.
       However, if the switch architecture only permits input or
       output sampling then the sampling agent is permitted to only
       sample input flows input or output flows.  Each packet must
       only be considered once for sampling, irrespective of the
       number of ports it will be forwarded to.

Note: Port 0 is used to indicate that all ports on the device are represented by a single data source. - sFlowPacketSamplingRate applies to all ports on the device capable of packet sampling. - sFlowCounterSamplingInterval applies to all ports.

注:ポート0は、デバイス上のすべてのポートは、単一のデータソースによって表されていることを示すために使用されます。 - sFlowPacketSamplingRateは、パケットサンプリングが可能なデバイス上のすべてのポートに適用されます。 - sFlowCounterSamplingIntervalは、すべてのポートに適用されます。

- smonVlanDataSource.<V> A dataSource of this form refers to a 'Packet-based VLAN' and is called a 'VLAN-based' dataSource. <V> is the VLAN

- smonVlanDataSource <V>この形式のデータソースは、「パケット・ベースのVLAN」を意味し、「VLANベースの」データソースと呼ばれます。 <V> VLANです

ID as defined by the IEEE 802.1Q standard. The value is between 1 and 4094 inclusive, and it represents an 802.1Q VLAN-ID with global scope within a given bridged domain. Sampling is performed on all packets received that are part of the specified VLAN (no matter which port they arrived on). Each packet will only be considered once for sampling, irrespective of the number of ports it will be forwarded to.

IEEE 802.1Q標準で定義されたID。値は1〜4094包括的であり、それは与えられたブリッジドメイン内のグローバルスコープの802.1Q VLAN-IDを表します。サンプリングは、指定されたVLAN(彼らはに到着したポートにかかわらず)の一部で受信したすべてのパケットに対して実行されます。各パケットは唯一かかわらず、それが転送されるポートの数を、サンプリングのために一度とみなされます。

- entPhysicalEntry.<N> A dataSource of this form refers to a physical entity within the agent (e.g., entPhysicalClass = backplane(4)) and is called an 'entity-based' dataSource. Sampling is performed on all packets entering the resource (e.g. If the backplane is being sampled, all packets transmitted onto the backplane will be considered as single candidates for sampling irrespective of the number of ports they ultimately reach).

- 。entPhysicalEntry <N>この形式のデータソースは、薬剤(例えば、entPhysicalClassが=バックプレーン(4))と呼ばれる「エンティティ・ベースの」データソース内の物理エンティティを指します。サンプリングは、(バックプレーンがサンプリングされている場合、例えば、バックプレーンに送信されるすべてのパケットに関係なく、それらが最終的に到達するポート数のサンプリングのための単一の候補として考慮される)リソースに入るすべてのパケットに対して行われます。

       Note: Since each DataSource operates independently, a packet
             that crosses multiple DataSources may generate multiple
             flow records."
     ::= { sFlowEntry 1 }

sFlowOwner OBJECT-TYPE SYNTAX OwnerString MAX-ACCESS read-write STATUS current DESCRIPTION "The entity making use of this sFlow sampler. The empty string indicates that the sFlow sampler is currently unclaimed. An entity wishing to claim an sFlow sampler must make sure that the sampler is unclaimed before trying to claim it. The sampler is claimed by setting the owner string to identify the entity claiming the sampler. The sampler must be claimed before any changes can be made to other sampler objects.

sFlowOwnerのOBJECT-TYPE SYNTAX OwnerString MAX-ACCESS読み取りと書き込みステータス現在の説明「エンティティが、このsFlowのサンプラーを使用すること。空の文字列は、sFlowのサンプラーが現在未請求であることを示している。sFlowのサンプラーを主張したいエンティティがことを確認する必要がありますすべての変更は、他のサンプラーオブジェクトに対して行うことができる前に、サンプラーがそれを主張しようとする前に、引き取り手のないです。サンプラーサンプラーを主張するエンティティを識別するために、所有者文字列を設定することで主張されている。サンプラーを主張しなければなりません。

        In order to avoid a race condition, the entity taking control
        of the sampler must set both the owner and a value for
        sFlowTimeout in the same SNMP set request.

When a management entity is finished using the sampler, it should set its value back to unclaimed. The agent must restore all other entities this row to their default values when the owner is set to unclaimed.


        This mechanism provides no enforcement and relies on the
        cooperation of management entities in order to ensure that competition for a sampler is fairly resolved."
     DEFVAL { "" }
     ::= { sFlowEntry 2 }

sFlowTimeout OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION "The time (in seconds) remaining before the sampler is released and stops sampling. When set, the owner establishes control for the specified period. When read, the remaining time in the interval is returned.

サンプラーを解放し、サンプリングを停止する前に、残りのsFlowTimeout OBJECT-TYPE構文Integer32 MAX-ACCESS読み取りと書き込みステータス現在の説明「時間(秒)。セット、所有者が指定した期間のための制御を確立します。読み取り、残り時間間隔で返されます。

        A management entity wanting to maintain control of the sampler
        is responsible for setting a new value before the old one
        When the interval expires, the agent is responsible for
        restoring all other entities in this row to their default
     DEFVAL { 0 }
     ::= { sFlowEntry 3 }

sFlowPacketSamplingRate OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION "The statistical sampling rate for packet sampling from this source.

sFlowPacketSamplingRateのOBJECT-TYPE構文Integer32 MAX-ACCESS読み取りと書き込みステータス現在の説明「このソースからのパケットサンプリングの統計的サンプリング・レート。

        Set to N to sample 1/Nth of the packets in the monitored flows.
        An agent should choose its own algorithm introduce variance
        into the sampling so that exactly every Nth packet is not
        counted.  A sampling rate of 1 counts all packets.  A sampling
        rate of 0 disables sampling.

The agent is permitted to have minimum and maximum allowable values for the sampling rate. A minimum rate lets the agent designer set an upper bound on the overhead associated with sampling, and a maximum rate may be the result of hardware restrictions (such as counter size). In addition not all values between the maximum and minimum may be realizable as the sampling rate (again because of implementation considerations).


When the sampling rate is set the agent is free to adjust the value so that it lies between the maximum and minimum values and has the closest achievable value.


        When read, the agent must return the actual sampling rate it
        will be using (after the adjustments previously described).  The
        sampling algorithm must converge so that over time the number
        of packets sampled approaches 1/Nth of the total number of
        packets in the monitored flows."
     DEFVAL { 0 }
     ::= { sFlowEntry 4 }
sFlowCounterSamplingInterval OBJECT-TYPE
  SYNTAX      Integer32
     MAX-ACCESS  read-write
     STATUS      current
       "The maximum number of seconds between successive samples of the
        counters associated with this data source.  A sampling interval
        of 0 disables counter sampling."
     DEFVAL { 0 }
     ::= { sFlowEntry 5 }
sFlowMaximumHeaderSize OBJECT-TYPE
     SYNTAX      Integer32
     MAX-ACCESS  read-write
     STATUS      current
       "The maximum number of bytes that should be copied from a
        sampled packet.  The agent may have an internal maximum and
        minimum permissible sizes.  If an attempt is made to set this
        value outside the permissible range then the agent should
        adjust the value to the closest permissible value."
     DEFVAL { 128 }
     ::= { sFlowEntry 6 }
sFlowMaximumDatagramSize OBJECT-TYPE
     SYNTAX      Integer32
     MAX-ACCESS  read-write
     STATUS      current
        "The maximum number of data bytes that can be sent in a single
         sample datagram.  The manager should set this value to avoid
         fragmentation of the sFlow datagrams."
     DEFVAL { 1400 }
     ::= { sFlowEntry 7 }

sFlowCollectorAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-write

sFlowCollectorAddressTypeのOBJECT-TYPE構文InetAddressType MAX-ACCESSの読み取りと書き込み

     STATUS      current
       "The type of sFlowCollectorAddress."
     DEFVAL { ipv4 }
     ::= { sFlowEntry 8 }
sFlowCollectorAddress OBJECT-TYPE
     SYNTAX      InetAddress
     MAX-ACCESS  read-write
     STATUS      current
       "The IP address of the sFlow collector.
        If set to all sampling is disabled."
     DEFVAL { "" }
     ::= { sFlowEntry 9 }
sFlowCollectorPort OBJECT-TYPE
     SYNTAX      Integer32
     MAX-ACCESS  read-write
     STATUS      current
       "The destination port for sFlow datagrams."
     DEFVAL { 6343 }
     ::= { sFlowEntry 10 }

sFlowDatagramVersion OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION "The version of sFlow datagrams that should be sent.

sFlowDatagramVersionのOBJECT-TYPE構文Integer32 MAX-ACCESS読み取りと書き込みステータス現在の説明「送られるべきであるのsFlowデータグラムのバージョン。

        When set to a value not support by the agent, the agent should
        adjust the value to the highest supported value less than the
        requested value, or return an error if no such values exist."
     DEFVAL { 4 }
     ::= { sFlowEntry 11 }

-- -- Compliance Statements --

- - コンプライアンスステートメント -

sFlowMIBConformance OBJECT IDENTIFIER ::= { sFlowMIB 2 }
sFlowMIBGroups      OBJECT IDENTIFIER ::= { sFlowMIBConformance 1 }
sFlowMIBCompliances OBJECT IDENTIFIER ::= { sFlowMIBConformance 2 }

sFlowCompliance MODULE-COMPLIANCE STATUS current

sFlowCompliance MODULE-COMPLIANCEステータス電流

       "Compliance statements for the sFlow Agent."

MODULE -- this module MANDATORY-GROUPS { sFlowAgentGroup } OBJECT sFlowAgentAddressType SYNTAX InetAddressType { ipv4(1) } DESCRIPTION "Agents need only support ipv4."

MODULE - このモジュールMANDATORY-GROUPSは{sFlowAgentGroup} OBJECT sFlowAgentAddressType構文InetAddressType {IPv4の(1)} DESCRIPTION "エージェントはIPv4のみをサポートする必要がある" と述べました。

         OBJECT sFlowCollectorAddressType
         SYNTAX InetAddressType { ipv4(1) }
           "Agents need only support ipv4."
     ::= { sFlowMIBCompliances 1 }
sFlowAgentGroup OBJECT-GROUP
     OBJECTS { sFlowVersion, sFlowAgentAddressType, sFlowAgentAddress,
               sFlowDataSource, sFlowOwner, sFlowTimeout,
               sFlowPacketSamplingRate, sFlowCounterSamplingInterval,
               sFlowMaximumHeaderSize, sFlowMaximumDatagramSize,
               sFlowCollectorAddressType, sFlowCollectorAddress,
               sFlowCollectorPort, sFlowDatagramVersion }
      STATUS current
        "A collection of objects for managing the generation and
         transportation of sFlow data records."
       ::= { sFlowMIBGroups 1 }



The sFlow MIB references definitions from a number of existing RFCs [18], [19], [20] and [21].

sFlow MIBは、既存のRFCの番号[18]、[19]、[20]及び[21]の定義を参照します。

4. sFlow Datagram Format

The sFlow datagram format specifies a standard format for the sFlow Agent to send sampled data to a remote data collector.


The format of the sFlow datagram is specified using the XDR standard [1]. XDR is more compact than ASN.1 and simpler for the sFlow Agent to encode and the sFlow Analyzer to decode.

sFlowのデータグラムのフォーマットは、XDR標準を使用して指定されている[1]。 XDRは、sFlowエージェントは、符号化するとのsFlowアナライザは、デコードするためのASN.1と簡素よりもコンパクトです。

Samples are sent as UDP packets to the host and port specified in the SFLOW MIB. The lack of reliability in the UDP transport mechanism does not significantly affect the accuracy of the measurements obtained from an sFlow Agent.

サンプルはSFLOW MIBで指定したホストとポートにUDPパケットとして送信されます。 UDPトランスポート・メカニズムの信頼性の欠如は大幅にsFlowエージェントから得られた測定値の精度に影響を与えません。

o If counter samples are lost then new values will be sent during the next polling interval. The chance of an undetected counter wrap is negligible. The sFlow datagram specifies 64 bit octet counters, and with typical counter polling intervals between 20 to 120 seconds, the chance of a long enough sequence of sFlow datagrams being lost to hide a counter wrap is very small.

カウンタサンプルが失われた場合、O、新しい値は、次のポーリング間隔の間に送信されます。検出されないカウンタラップの可能性は無視できる程度です。 sFlowデータグラムは、64ビットのオクテットカウンタを指定し、20〜120秒の間の典型的なカウンタのポーリング間隔で、sFlowの十分な長いシーケンスのチャンスはカウンターラップを隠すために失われたデータグラムは非常に小さいです。

o The net effect of lost flow samples is a slight reduction in the effective sampling rate.


The use of UDP reduces the amount of memory required to buffer data. UDP also provides a robust means of delivering timely traffic information during periods of intense traffic (such as a denial of service attack). UDP is more robust than a reliable transport mechanism because under overload the only effect on overall system performance is a slight increase in transmission delay and a greater number of lost packets, neither of which has a significant effect on an sFlow-based monitoring system. If a reliable transport mechanism were used then an overload would introduce long transmission delays and require large amounts of buffer memory on the agent.

UDPの使用は、データをバッファリングするために必要なメモリの量を減らします。 UDPは、(そのようなサービス拒否攻撃など)強烈なトラフィックの期間中にタイムリーな交通情報を提供する強力な手段を提供します。下は、システム全体のパフォーマンスにのみ影響伝送遅延のわずかな増加とのsFlowベースの監視システムに大きな影響を与えるどちらも失われたパケットのより大きな数であるが過負荷ので、UDPは、信頼性の高い搬送機構よりも堅牢です。信頼性の高い転送メカニズムを使用した場合、過負荷が長い伝送遅延を導入し、エージェントにバッファメモリを大量に必要となります。

While the sFlow Datagram structure permits multiple samples to be included in each datagram, the sampling agent must not wait for a buffer to fill with samples before sending the sample datagram. sFlow sampling is intended to provide timely information on traffic. The agent may at most delay a sample by 1 second before it is required to send the datagram.

sFlowのデータグラムの構造は、各データグラムに含まれる複数のサンプルを許可している間、サンプリング・エージェントは、サンプルデータグラムを送信する前にサンプルを埋めるために、バッファを待たないでなければなりません。 sFlowのサンプリングは、トラフィックのタイムリーな情報を提供することを意図しています。データグラムを送信するために必要とされる前に、エージェントは、せいぜい1秒でサンプルを遅らせる可能性があります。

The agent should try to piggyback counter samples on the datagram stream resulting from flow sampling. Before sending out a datagram the remaining space in the buffer can be filled with counter samples. The agent has discretion in the timing of its counter polling, the specified counter sampling intervals sFlowCounterSamplingInterval is a maximum, so the agent is free to sample counters early if it has space in a datagram. If counters must be sent in order to satisfy the maximum sampling interval then a datagram must be sent containing the outstanding counters.


The following is the XDR description of an sFlow Datagram:


/* sFlow Datagram Version 4 */
/* Revision History
   - version 4 adds support BGP communities
   - version 3 adds support for extended_url information
/* sFlow Sample types */
/* Address Types */
typedef opaque ip_v4[4];
typedef opaque ip_v6[16];

enum address_type { IP_V4 = 1, IP_V6 = 2 }

列挙address_type {IP_V4 = 1、IP_V6 = 2}

union address (address_type type) {
   case IP_V4:
   case IP_V6:
/* Packet header data */
const MAX_HEADER_SIZE = 256;   /* The maximum sampled header size. */
/* The header protocol describes the format of the sampled header */
enum header_protocol {
   ETHERNET-ISO8023     = 1,
   ISO88024-TOKENBUS    = 2,
   ISO88025-TOKENRING   = 3,
   FDDI                 = 4,
   FRAME-RELAY          = 5,
   X25                  = 6,
   PPP                  = 7,
   SMDS                 = 8,
   AAL5                 = 9,
   AAL5-IP              = 10, /* e.g., Cisco AAL5 mux */
   IPv4                 = 11,
   IPv6                 = 12,
   MPLS                 = 13
struct sampled_header {
   header_protocol protocol;       /* Format of sampled header */
   unsigned int frame_length;      /* Original length of packet before
                                      sampling */
   opaque header<MAX_HEADER_SIZE>; /* Header bytes */
/* Packet IP version 4 data */

struct sampled_ipv4 {

構造体sampled_ipv4 {

   unsigned int length;     /* The length of the IP packet excluding
                               lower layer encapsulations */
   unsigned int protocol;   /* IP Protocol type
                               (for example, TCP = 6, UDP = 17) */
   ip_v4 src_ip;            /* Source IP Address */
   ip_v4 dst_ip;            /* Destination IP Address */
   unsigned int src_port;   /* TCP/UDP source port number or
                               equivalent */
   unsigned int dst_port;   /* TCP/UDP destination port number or
                               equivalent */
   unsigned int tcp_flags;  /* TCP flags */
   unsigned int tos;        /* IP type of service */
/* Packet IP version 6 data */
struct sampled_ipv6 {
   unsigned int length;     /* The length of the IP packet excluding
                               lower layer encapsulations */
   unsigned int protocol;   /* IP next header
                               (for example, TCP = 6, UDP = 17) */
   ip_v6 src_ip;            /* Source IP Address */
   ip_v6 dst_ip;            /* Destination IP Address */
   unsigned int src_port;   /* TCP/UDP source port number or
                               equivalent */
   unsigned int dst_port;   /* TCP/UDP destination port number or
                               equivalent */
   unsigned int tcp_flags;  /* TCP flags */
   unsigned int priority;   /* IP priority */
/* Packet data */
enum packet_information_type {
   HEADER  = 1,      /* Packet headers are sampled */
   IPV4    = 2,      /* IP version 4 data */
   IPV6    = 3       /* IP version 6 data */
union packet_data_type (packet_information_type type) {
   case HEADER:
      sampled_header header;
   case IPV4:
      sampled_ipv4 ipv4;
   case IPV6:
      sampled_ipv6 ipv6;
/* Extended data types */
/* Extended switch data */
struct extended_switch {
   unsigned int src_vlan;     /* The 802.1Q VLAN id of incoming frame */
   unsigned int src_priority; /* The 802.1p priority of incoming
                                 frame */
   unsigned int dst_vlan;     /* The 802.1Q VLAN id of outgoing frame */
   unsigned int dst_priority; /* The 802.1p priority of outgoing
                                 frame */
/* Extended router data */
struct extended_router {
   address nexthop;         /* IP address of next hop router */
   unsigned int src_mask;   /* Source address prefix mask bits */
   unsigned int dst_mask;   /* Destination address prefix mask bits */
/* Extended gateway data */
enum as_path_segment_type {
   AS_SET      = 1,            /* Unordered set of ASs */
   AS_SEQUENCE = 2             /* Ordered set of ASs */
union as_path_type (as_path_segment_type) {
   case AS_SET:
      unsigned int as_set<>;
   case AS_SEQUENCE:
      unsigned int as_sequence<>;
struct extended_gateway {
   unsigned int as;            /* Autonomous system number of router */
   unsigned int src_as;        /* Autonomous system number of source */
   unsigned int src_peer_as;   /* Autonomous system number of source
                                  peer */
   as_path_type dst_as_path<>; /* Autonomous system path to the
                                  destination */
   unsigned int communities<>; /* Communities associated with this
                                  route */
   unsigned int localpref;     /* LocalPref associated with this
                                  route */
/* Extended user data */
struct extended_user {
   string src_user<>;          /* User ID associated with packet
                                  source */
   string dst_user<>;          /* User ID associated with packet
                                  destination */


/* Extended URL data */
enum url_direction {
   src    = 1,                 /* URL is associated with source
                                  address */
   dst    = 2                  /* URL is associated with destination
                                  address */
struct extended_url {
   url_direction direction;    /* URL associated with packet source */
   string url<>;               /* URL associated with the packet flow */
/* Extended data */
enum extended_information_type {
   SWITCH    = 1,      /* Extended switch information */
   ROUTER    = 2,      /* Extended router information */
   GATEWAY   = 3,      /* Extended gateway router information */
   USER      = 4,      /* Extended TACACS/RADIUS user information */
   URL       = 5       /* Extended URL information */
union extended_data_type (extended_information_type type) {
   case SWITCH:
      extended_switch switch;
   case ROUTER:
      extended_router router;
   case GATEWAY:
      extended_gateway gateway;
   case USER:
      extended_user user;
   case URL:
      extended_url url;
/* Format of a single flow sample */ struct flow_sample {
unsigned int sequence_number;    /* Incremented with each flow sample
                                    generated by this source_id */
unsigned int source_id;          /* sFlowDataSource encoded as follows:
                                    The most significant byte of the
                                    source_id is used to indicate the
                                    type of sFlowDataSource
                                    (0 = ifIndex,
                                    1 = smonVlanDataSource,
                                    2 = entPhysicalEntry) and the
                                    lower three bytes contain the
                                    relevant index value.*/
unsigned int sampling_rate;      /* sFlowPacketSamplingRate */
unsigned int sample_pool;        /* Total number of packets that could
                                    have been sampled (i.e., packets
                                    skipped by sampling process + total
                                    number of samples) */
unsigned int drops;              /* Number times a packet was dropped
                                    due to lack of resources */
unsigned int input;               /* SNMP ifIndex of input interface.
                                     0 if interface is not known.  */
unsigned int output;              /* SNMP ifIndex of output interface,
                                     0 if interface is not known.
                                     Set most significant bit to
                                     indicate multiple destination
                                     interfaces (i.e., in case of
                                     broadcast or multicast)
                                     and set lower order bits to
                                     indicate number of destination
                                        0x00000002  indicates ifIndex =
                                        0x00000000  ifIndex unknown.
                                        0x80000007  indicates a packet
                                                    sent to 7
                                        0x80000000  indicates a packet
                                                    sent to an unknown
                                                    number of interfaces
                                                    greater than 1. */
   packet_data_type packet_data;       /* Information about sampled
                                          packet */
   extended_data_type extended_data<>; /* Extended flow information */
/* Counter types */
/* Generic interface counters - see RFC 2233 */
struct if_counters {
   unsigned int ifIndex;
   unsigned int ifType;
   unsigned hyper ifSpeed;
   unsigned int ifDirection;    /* derived from MAU MIB (RFC 2668)
                                   0 = unknown, 1=full-duplex,
                                   2=half-duplex, 3 = in, 4=out */
   unsigned int ifStatus;       /* bit field with the following bits
                                   bit 0 = ifAdminStatus
                                     (0 = down, 1 = up)
                                   bit 1 = ifOperStatus
                                     (0 = down, 1 = up) */
   unsigned hyper ifInOctets;
   unsigned int ifInUcastPkts;
   unsigned int ifInMulticastPkts;
   unsigned int ifInBroadcastPkts;
   unsigned int ifInDiscards;
   unsigned int ifInErrors;
   unsigned int ifInUnknownProtos;
   unsigned hyper ifOutOctets;
   unsigned int ifOutUcastPkts;
   unsigned int ifOutMulticastPkts;
   unsigned int ifOutBroadcastPkts;
   unsigned int ifOutDiscards;
   unsigned int ifOutErrors;
   unsigned int ifPromiscuousMode;
/* Ethernet interface counters - see RFC 2358 */
struct ethernet_counters {
   if_counters generic;
   unsigned int dot3StatsAlignmentErrors;
   unsigned int dot3StatsFCSErrors;
   unsigned int dot3StatsSingleCollisionFrames;
   unsigned int dot3StatsMultipleCollisionFrames;
   unsigned int dot3StatsSQETestErrors;
   unsigned int dot3StatsDeferredTransmissions;
   unsigned int dot3StatsLateCollisions;
   unsigned int dot3StatsExcessiveCollisions;
   unsigned int dot3StatsInternalMacTransmitErrors;
   unsigned int dot3StatsCarrierSenseErrors;
   unsigned int dot3StatsFrameTooLongs;
   unsigned int dot3StatsInternalMacReceiveErrors;
   unsigned int dot3StatsSymbolErrors;
/* FDDI interface counters - see RFC 1512 */
struct fddi_counters {
  if_counters generic;
/* Token ring counters - see RFC 1748 */
struct tokenring_counters {
  if_counters generic;
  unsigned int dot5StatsLineErrors;
  unsigned int dot5StatsBurstErrors;
  unsigned int dot5StatsACErrors;
  unsigned int dot5StatsAbortTransErrors;
  unsigned int dot5StatsInternalErrors;
  unsigned int dot5StatsLostFrameErrors;
  unsigned int dot5StatsReceiveCongestions;
  unsigned int dot5StatsFrameCopiedErrors;
  unsigned int dot5StatsTokenErrors;
  unsigned int dot5StatsSoftErrors;
  unsigned int dot5StatsHardErrors;
  unsigned int dot5StatsSignalLoss;
  unsigned int dot5StatsTransmitBeacons;
  unsigned int dot5StatsRecoverys;
  unsigned int dot5StatsLobeWires;
  unsigned int dot5StatsRemoves;
  unsigned int dot5StatsSingles;
  unsigned int dot5StatsFreqErrors;
/* 100 BaseVG interface counters - see RFC 2020 */
struct vg_counters {
  if_counters generic;
  unsigned int dot12InHighPriorityFrames;
  unsigned hyper dot12InHighPriorityOctets;
  unsigned int dot12InNormPriorityFrames;
  unsigned hyper dot12InNormPriorityOctets;
  unsigned int dot12InIPMErrors;
  unsigned int dot12InOversizeFrameErrors;
  unsigned int dot12InDataErrors;
  unsigned int dot12InNullAddressedFrames;
  unsigned int dot12OutHighPriorityFrames;
  unsigned hyper dot12OutHighPriorityOctets;
  unsigned int dot12TransitionIntoTrainings;
  unsigned hyper dot12HCInHighPriorityOctets;
  unsigned hyper dot12HCInNormPriorityOctets;
  unsigned hyper dot12HCOutHighPriorityOctets;
/* WAN counters */

struct wan_counters { if_counters generic; }

if_countersジェネリック構造体wan_counters {; }

/* VLAN counters */
struct vlan_counters {
  unsigned int vlan_id;
  unsigned hyper octets;
  unsigned int ucastPkts;
  unsigned int multicastPkts;
  unsigned int broadcastPkts;
  unsigned int discards;
/* Counter data */

enum counters_version { GENERIC = 1, ETHERNET = 2, TOKENRING = 3, FDDI = 4, VG = 5, WAN = 6, VLAN = 7 }

列挙counters_version {1 = GENERIC、ETHERNET = 2、TOKENRING = 3、FDDI = 4、VG = 5、WAN = 6、VLAN = 7}

union counters_type (counters_version version) {
   case GENERIC:
      if_counters generic;
   case ETHERNET:
      ethernet_counters ethernet;
   case TOKENRING:
      tokenring_counters tokenring;
   case FDDI:
      fddi_counters fddi;
   case VG:
      vg_counters vg;
   case WAN:
      wan_counters wan;
   case VLAN:

vlan_counters vlan; }

VLANをvlan_counters。 }

/* Format of a single counter sample */
struct counters_sample {
   unsigned int sequence_number;   /* Incremented with each counter
                                      sample generated by this
                                      source_id */
   unsigned int source_id;         /* sFlowDataSource encoded as
                                       The most significant byte of the
                                       source_id is used to indicate the
                                       type of sFlowDataSource
                                       (0 = ifIndex,
                                       1 = smonVlanDataSource,
                                       2 = entPhysicalEntry) and the
                                           lower three
                                       bytes contain the relevant
                                       index value.*/
   unsigned int sampling_interval; /* sFlowCounterSamplingInterval*/
   counters_type counters;
/* Format of a sample datagram */

enum sample_types { FLOWSAMPLE = 1, COUNTERSSAMPLE = 2 }

列挙sample_types {FLOWSAMPLE = 1、COUNTERSSAMPLE = 2}

union sample_type (sample_types sampletype) {
      flow_sample flowsample;
      counters_sample counterssample;
struct sample_datagram_v4 {
   address agent_address           /* IP address of sampling agent,
                                      sFlowAgentAddress. */
   unsigned int sequence_number;  /* Incremented with each sample
                                     datagram generated */
   unsigned int uptime;           /* Current time (in milliseconds since
                                     device last booted).  Should be set
                                     as close to datagram transmission
                                     time as possible.*/
   sample_type samples<>;         /* An array of flow, counter and delay
                                     samples */

enum datagram_version { VERSION4 = 4 }

列挙datagram_version {バージョン4 = 4}

union sample_datagram_type (datagram_version version) { case VERSION4: sample_datagram_v4 datagram; }

組合sample_datagram_type(datagram_version版){ケースバージョン4:sample_datagram_v4グラム。 }

struct sample_datagram { sample_datagram_type version; }

構造体sample_datagram {sample_datagram_typeバージョン。 }

The sFlow Datagram specification makes use of definitions from a number of existing RFCs [22], [23], [24], [25], [26], [27] and [28].


5. Security Considerations

Deploying a traffic monitoring system raises a number of security related issues. sFlow does not provide specific security mechanisms, relying instead on proper deployment and configuration to maintain an adequate level of security.

トラフィック監視システムを導入すると、セキュリティ関連の問題の数を発生させます。 sFlowのは、セキュリティの適切なレベルを維持するために、適切な展開と構成に頼っ、特定のセキュリティメカニズムを提供していません。

While the deployment of traffic monitoring systems does create some risk, it also provides a powerful means of detecting and tracing unauthorized network activity.


This section is intended to provide information that will help understand potential risks and configuration options for mitigating those risks.


5.1 Control

The sFlow MIB is used to configure the generation of sFlow samples. The security of SNMP, with access control lists, is usually considered adequate in an enterprise setting. However, there are situations when these security measures are insufficient (for example a WAN router) and SNMP configuration control will be disabled.

sFlow MIBは、sFlowのサンプルの生成を設定するために使用されます。アクセス制御リストとSNMPのセキュリティは、通常、企業の設定で十分な考えられています。これらのセキュリティ対策が不十分である(例えばWANルータ)とSNMPの構成制御は無効になりますしかし、状況があります。

When SNMP is disabled, a command line interface is typically provided. The following arguments are required to configure sFlow sampling on an interface.


-sFlowDataSource <source> -sFlowPacketSamplingRate <rate> -sFlowCounterSamplingInterval <interval> -sFlowMaximumHeaderSize <header size> -sFlowMaximumDatagramSize <datagram size> -sFlowCollectorAddress <address> -sFlowCollectorPort <port>

-sFlowDataSource <ソース> -sFlowPacketSamplingRate <速度> -sFlowCounterSamplingInterval <間隔> -sFlowMaximumHeaderSize <ヘッダサイズ> -sFlowMaximumDatagramSize <データグラムサイズ> -sFlowCollectorAddress <アドレス> -sFlowCollectorPort <ポート>

5.2 Transport

Traffic information is sent unencrypted across the network from the sFlow Agent to the sFlow Analyzer and is thus vulnerable to eavesdropping. This risk can be limited by creating a secure measurement network and routing the sFlow Datagrams over this network. The choice of technology for creating the secure measurement network is deployment specific, but could include the use of VLANs or VPN tunnels.


The sFlow Analyzer is vulnerable to attacks involving spoofed sFlow Datagrams. To limit this vulnerability the sFlow Analyzer should check sequence numbers and verify source addresses. If a secure measurement network has been constructed then only sFlow Datagrams received from that network should be processed.


5.3 Confidentiality

Traffic information can reveal confidential information about individual network users. The degree of visibility of application level data can be controlled by limiting the number of header bytes captured by the sFlow agent. In addition, packet sampling makes it virtually impossible to capture sequences of packets from an individual transaction.


The traffic patterns discernible by decoding the sFlow Datagrams in the sFlow Analyzer can reveal details of an individual's network related activities and due care should be taken to secure access to the sFlow Analyzer.


6. References

[1] Sun Microsystems, Inc., "XDR: External Data Representation Standard", RFC 1014, June 1987.

[1]サン・マイクロシステムズ社、 "XDR:外部データ表現標準"、RFC 1014、1987年6月。

[2] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2571, April 1999.

[2]ハリントン、D.、Presuhn、R.、およびB. Wijnenの、RFC 2571、1999年4月 "SNMP管理フレームワークを記述するためのアーキテクチャ"。

[3] Rose, M. and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", STD 16, RFC 1155, May 1990.

[3]ローズ、M.、およびK. McCloghrie、 "構造とTCP / IPベースのインターネットのための経営情報の識別"、STD 16、RFC 1155、1990年5月を。

[4] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991.

[4]ローズ、M.、およびK. McCloghrie、 "簡潔なMIB定義"、STD 16、RFC 1212、1991年3月。

[5] Rose, M., "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991.

[5]ローズ、M.、 "SNMPとの使用のためのDefining Trapsのための条約"、RFC 1215、1991年3月。

[6] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.

[6] McCloghrie、K.、パーキンス、D.、Schoenwaelder、J.、ケース、J.、ローズ、M.およびS. Waldbusser、 "経営情報バージョン2(SMIv2)の構造"、STD 58、RFC 2578、 1999年4月。

[7] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999.

[7] McCloghrie、K.、パーキンス、D.、Schoenwaelder、J.、ケース、J.、ローズ、M.およびS. Waldbusser、 "SMIv2のためのテキストの表記法"、STD 58、RFC 2579、1999年4月。

[8] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999.

[8] McCloghrie、K.、パーキンス、D.、Schoenwaelder、J.、ケース、J.、ローズ、M.およびS. Waldbusser、STD 58、RFC 2580、1999年4月 "SMIv2のための順応文"。

[9] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, May 1990.

[9]ケース、J.、ヒョードル、M.、Schoffstall、M.、およびJ.デーヴィン、 "簡単なネットワーク管理プロトコル"、STD 15、RFC 1157、1990年5月。

[10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996.

[10]ケース、J.、McCloghrie、K.、ローズ、M.およびS. Waldbusser、 "コミュニティベースのSNMPv2の概要"、RFC 1901、1996年1月。

[11] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996.

[11]ケース、J.、McCloghrie、K.、ローズ、M.、およびS. Waldbusser、RFC 1906 "簡易ネットワーク管理プロトコル(SNMPv2)のバージョン2のための交通マッピング"、1996年1月。

[12] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2572, April 1999.

[12]ケース、J.、ハリントンD.、Presuhn R.とB. Wijnenの、 "メッセージ処理と簡単なネットワーク管理プロトコル(SNMP)のための派遣"、RFC 2572、1999年4月。

[13] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999.

[13]ブルーメンソール、U.とB. Wijnenの、 "ユーザベースセキュリティモデル(USM)簡易ネットワーク管理プロトコル(SNMPv3の)のバージョン3のために"、RFC 2574、1999年4月。

[14] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996.

[14]ケース、J.、McCloghrie、K.、ローズ、M.、およびS. Waldbusser、 "簡易ネットワーク管理プロトコルのバージョン2のためのプロトコル操作(SNMPv2の)"、RFC 1905、1996年1月。

[15] Levi, D., Meyer, P. and B. Stewart, "SNMPv3 Applications", RFC 2573, April 1999.

[15]レビ、D.、マイヤー、P.およびB.スチュワート、 "SNMPv3のアプリケーション"、RFC 2573、1999年4月。

[16] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, April 1999.

[16] Wijnenの、B.、Presuhn、R.とK. McCloghrie、 "簡易ネットワーク管理プロトコルのためのビューベースアクセス制御モデル(VACM)(SNMP)"、RFC 2575、1999年4月。

[17] Case, J., Mundy, R., Partain, D. and B. Stewart, "Introduction to Version 3 of the Internet-standard Network Management Framework", RFC 2570, April 1999.

[17]ケース、J.、マンディ、R.、パーテイン、D.とB.スチュワート、 "インターネット標準ネットワーク管理フレームワークのバージョン3への序論"、RFC 2570、1999年4月。

[18] Waldbusser, S., "Remote Network Monitoring Management Information Base", RFC 2819, May 2000.

[18] Waldbusser、S.、 "管理情報ベースのリモートネットワーク監視"、RFC 2819、2000年5月。

[19] Waterman, R., Lahaye, B., Romascanu, D. and S. Waldbusser, "Remote Network Monitoring MIB Extensions for Switched Networks Version 1.0", RFC 2613, June 1999.

[19]ウォーターマン、R.、Lahaye、B.、Romascanu、D.とS. Waldbusser、 "リモートネットワーク監視スイッチングネットワークバージョン1.0のMIB拡張機能"、RFC 2613、1999年6月。

[20] Daniele, M., Haberman, B., Routhier, S. and J. Schoenwaelder, "Textual Conventions for Internet Network Addresses", RFC 2851, June 2000.

[20]ダニエル、M.、ハーバーマン、B.、Routhier、S.およびJ. Schoenwaelder、 "インターネットネットワークアドレスのためのテキストの表記法"、RFC 2851、2000年6月。

[21] Brownlee, N., "Traffic Flow Measurement: Meter MIB", RFC 2720, October 1999.

[21]ブラウンリー、N.、 "トラフィックフロー測定:メーターMIB"、RFC 2720、1999年10月。

[22] Smith, A., Flick, J., de Graaf, K., Romanscanu, D., McMaster, D., McCloghrie, K. and S. Roberts, "Definition of Managed Objects for IEEE 802.3 Medium Attachment Units (MAUs)", RFC 2668, August 1999.

[22]スミス、A.、フリック、J.、デ・グラーフ、K.、Romanscanu、D.、マクマスター、D.、McCloghrie、K.およびS.ロバーツ、「IEEE 802.3媒体接続ユニットのための管理オブジェクトの定義( MAU)」、RFC 2668、1999年8月。

[23] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB using SMIv2", RFC 2233, November 1997.

[23] McCloghrie、K.およびF. Kastenholzと、 "SMIv2のを使用してインターフェイスグループMIB"、RFC 2233、1997年11月。

[24] Flick, J. and J. Johnson, "Definition of Managed Objects for the Ethernet-like Interface Types", RFC 2358, June 1998.

[24]フリック、J.とJ.ジョンソン、「イーサネットのようなインターフェース型のための管理オブジェクトの定義」、RFC 2358、1998年6月。

[25] Case, J., "FDDI Management Information Base", RFC 1512, September 1993.

[25]ケース、J.、 "FDDI管理情報ベース"、RFC 1512、1993年9月。

[26] McCloghrie, K. and E. Decker, "IEEE 802.5 MIB using SMIv2", RFC 1748, December 1994.

[26] McCloghrie、K.およびE.デッカー、 "SMIv2のを使用してIEEE 802.5 MIB"、RFC 1748、1994年12月。

[27] Flick, J., "Definitions of Managed Objects for IEEE 802.12 Interfaces", RFC 2020, October 1996.

[27]フリック、J.、RFC 2020、1996年10月 "IEEE 802.12インタフェースのための管理オブジェクトの定義"。

[28] Willis, S., Burruss, J. and J. Chu, "Definitions of Managed Objects for the Fourth Version of the Border Gateway Protocol (BGP-4) using SMIv2", RFC 1657, July 1994.

[28]ウィリス、S.、Burruss、J.およびJ.チュー、RFC 1657、1994年7月 "SMIv2のを使用してボーダーゲートウェイプロトコル(BGP-4)第4版のための管理オブジェクトの定義"。

7. Authors' Addresses

Peter Phaal InMon Corporation 1404 Irving Street San Francisco, CA 94122

ピーター・秋1404アーヴィングストリート、サンフランシスコ、イマーム株式会社、K 94122

Phone: (415) 661-6343 EMail: peter_phaal@INMON.COM

電話:(415)661-6343 Eメール:peter_phaal@INMON.COM

Sonia Panchen InMon Corporation 1404 Irving Street San Francisco, CA 94122

ソニアパンチェン米国InMon Corp. 1404アーヴィングストリート、サンフランシスコ、CA 94122

Phone: (415) 661-6343 EMail: sonia_panchen@INMON.COM

電話:(415)661-6343 Eメール:sonia_panchen@INMON.COM

Neil McKee InMon Corporation 1404 Irving Street San Francisco, CA 94122

ニール・マッキー米国InMon Corp. 1404アーヴィングストリート、サンフランシスコ、CA 94122

Phone: (415) 661-6343 EMail: neil_mckee@INMON.COM

電話:(415)661-6343 Eメール:neil_mckee@INMON.COM

8. Intellectual Property Statement

The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.


The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.

IETFは、その注意にこの標準を実践するために必要な場合があり技術をカバーすることができる任意の著作権、特許または特許出願、またはその他の所有権を持ってすべての利害関係者を招待します。 IETF専務に情​​報を扱ってください。

9. Full Copyright Statement

Copyright (C) The Internet Society (2001). All Rights Reserved.


This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.


The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.






Funding for the RFC Editor function is currently provided by the Internet Society.

RFC Editor機能のための基金は現在、インターネット協会によって提供されます。