Abstract sFlow provides statistical, flow-sampled network monitoring. Unlike NetFlow/IPFIX, sFlow decouples packet sampling from counter export, enabling wire-speed monitoring on switches/routers. This paper presents the architecture of a production-ready open-source sFlow collector, focusing on scalability, data integrity, and integration with time-series databases. 1. Introduction: Why sFlow over NetFlow? | Feature | sFlow | NetFlow/IPFIX | |---------|-------|----------------| | Sampling | Packet sampling (dataplane) | Flow caching (control plane) | | Overhead | Fixed, low | Increases with flows | | Export | UDP datagrams (no ACK) | UDP/TCP with templates | | Visibility | Header + counters + drops | Aggregated flows |
sFlow can monitor every port at 1/N sampling without consuming router CPU for flow cache maintenance. 2. Core Architecture of an Open-Source sFlow Collector A solid collector follows this pipeline: open source sflow collector
func main() addr, _ := net.ResolveUDPAddr("udp", ":6343") conn, _ := net.ListenUDP("udp", addr) buf := make([]byte, 1500) for n, _, _ := conn.ReadFromUDP(buf) pkt, _ := sflow.DecodeDatagram(buf[:n]) for _, sample := range pkt.Samples switch sample.Type() case sflow.TypeFlowSample: fs := sample.(sflow.FlowSample) fmt.Printf("Flow: %v bytes (sampled)\n", fs.Length) // Normalize & export case sflow.TypeCounterSample: cs := sample.(sflow.CounterSample) fmt.Printf("Counter: iface %d -> %d bytes\n", cs.IfIndex, cs.IfInOctets) _ := net.ResolveUDPAddr("udp"
Tested on Xeon 4214 @ 2.2GHz, 32GB RAM, 10Gbps sFlow feed. // Simplified sFlow collector using sflowgo library package main import ( "github.com/msabramo/go-sflow" "net" ) _ := net.ListenUDP("udp"