A modern analyzer (e.g., FastNetMon, Akvorado) uses sFlow to watch for SYN floods. When a DDoS starts, the analyzer detects the anomaly in <1 second, extracts the victim IP from the sFlow samples, and automatically injects a BGP FlowSpec rule to block the attack at the router—all without human intervention.
InMon made sFlow an open standard (RFC 3176, later 7452), free for any vendor to implement. Unlike Cisco's proprietary NetFlow (which required complex stateful tracking on the router), sFlow was and ran entirely in hardware on the ASIC. This was much cheaper and safer for routers. Chapter 2: The Problem the Analyzer Solves sFlow solved export , but not analysis . sflow analyzer
In a cloud-native environment, sFlow agents run on virtual switches (Open vSwitch). The analyzer cross-references sFlow samples with orchestrator APIs. It can show: "Pod frontend-7d8f9 is talking to database postgres-0 using 200 Mbps of TLS traffic—this is anomalous." A modern analyzer (e
When a router samples a packet, it creates a tiny record (usually 64–128 bytes of the packet header—source IP, destination IP, port, protocol). It wraps this in an sFlow datagram (UDP) and fires it out to a collector. In a cloud-native environment, sFlow agents run on
The analyzer took the impossible problem—watching billions of packets per second—and reduced it to a manageable stream of samples, then turned those samples into answers. It is the ultimate example of "a little data, well analyzed, is better than all the data, unanalyzed."
The analyzer keeps an in-memory hash table keyed by (src_ip, dst_ip, src_port, dst_port, protocol) . It adds the extrapolated bytes and packets to that key.