Sflow: Analyzer [2021]

This is written as a technical narrative. Prologue: The Blindness Problem In the late 1990s and early 2000s, enterprise networks were growing exponentially. Network engineers faced a critical paradox: traffic was increasing, but visibility was decreasing.

The analyzer took the impossible problem—watching billions of packets per second—and reduced it to a manageable stream of samples, then turned those samples into answers. It is the ultimate example of "a little data, well analyzed, is better than all the data, unanalyzed." sflow analyzer

What the industry needed was —a way to look at a statistically significant fraction of traffic and infer the whole picture. Chapter 1: The Birth of sFlow (2001) In 2001, InMon Corporation (founded by Peter Phaal, who had previously worked on packet sampling at Sprint) published a revolutionary idea: sFlow (Sampled Flow). This is written as a technical narrative

The analyzer keeps an in-memory hash table keyed by (src_ip, dst_ip, src_port, dst_port, protocol) . It adds the extrapolated bytes and packets to that key. The analyzer keeps an in-memory hash table keyed

The analyzer sees: "1 packet for 192.168.1.100 -> 203.0.113.50, sample rate 1/1000". It immediately multiplies: This represents 1,000 real packets . It then multiplies by average packet size (from the header, say 500 bytes) to get 500,000 bytes (4 Mbits) of traffic contributed by that flow.

A modern analyzer (e.g., FastNetMon, Akvorado) uses sFlow to watch for SYN floods. When a DDoS starts, the analyzer detects the anomaly in <1 second, extracts the victim IP from the sFlow samples, and automatically injects a BGP FlowSpec rule to block the attack at the router—all without human intervention.