sFlow at AMS-IX

To analyse and optimise high speed networks an efficient monitoring system is required, therefore AMS-IX uses sFlow for its traffic analysis.

General platform statistics based on sFlow are shown here

Introduction

sFlow is a standard to capture traffic data in switched or routed networks. It uses a sampling technology to collect statistics from the device and is for that reason applicable to gigabit speeds or higher. Due to it being an open standard, described in RFC 3176, it is implemented on a wide range of devices, like the AMS-IX Brocade switches.

The sFlow agent (Brocade switch) supports two forms of operation:

  • time-based sampling of counters
  • packet-based sampling of ethernet frames

The counter samples provide exactly the same information AMS-IX uses for its traffic statistics now, therefore the sFlow implementation at AMS-IX makes use of the packet-based samples (called flowsamples) to provide additional analysis of the exchanged traffic.

Packet Based Sampling

Based on a defined sampling rate, one out of N frames from the incoming traffic for each interface gets sampled and sent to a central server which is statistically analyzing the traffic. If we see one packet out of N, we assume that all the N-1 packets we haven't seen are the same type and size.

Note: This type of sampling does not provide 100% accurate results.

Without the sampling technology packet analysis on a network with a throughput like AMS-IX would not be possible. For more detailed information about the accuracy of packed based sampling see the documents on the official sFlow website.

Software

The sFlow samples on the server get analyzed by software developed at AMS-IX. The software package is written in PERL and based on the sFlow decoding module Net::sFlow.

Note: While the sFlow packet format supports sampling of IP and TCP/UDP flows, our software only looks at Layer-2 (Ethernet) fields. We neither process nor store flow information from higher layer protocols.