The sFlow toolkit provides command line utilities and scripts for analyzing sFlow data (Note: If you are interested in a free, graphical, sFlow analyzer, you might want to look at sFlowTrend).
The core component of the sFlow toolkit is the sflowtool command line utility. sflowtool interfaces to utilities such as tcpdump, ntop and Snort for detailed packet tracing and analysis, NetFlow compatible collectors for IP flow accounting, and provides text based output that can be used in scripts to provide customized analysis and reporting and for integrating with other tools such as MRTG or rrdtool.
For example, the command:
sflowtool -t | tcpdump -r -
will provide a decoded packet trace. Advanced packet filtering is easily performed using tcpdump. In addition, many other packet analyzers are capable of processing packets in tcpdump format.
sflowtool -t | ntop -f -
will provide a real-time top-talkers view of the network traffic through a web-based interface. (Note: The numbers will all appear low since ntop isn't aware that the data is sampled. Simply multiply by the sampling rate to get the correct values.)
The following command be used to send data to the Snort intrusion detection system:
sflowtool -t | snort -Afull -r - -c snort.conf
The following example shows sflowtool converting sFlow packets into NetFlow and sending the NetFlow packets to a NetFlow collector specified by a host and port.
sflowtool -c netflow.inmon.com -d 9991 > /dev/null
The final example shows how text based scripts can be used in conjunction with sflowtool. In this example an IP traffic matrix is constructed every hour.
sflowtool | ipTrafficMatrix
For additional examples, see the sFlow Blog.
PLEASE READ THIS LICENSE AGREEMENT ("AGREEMENT") CAREFULLY BEFORE REPRODUCING OR IN ANY WAY UTILIZING THE sFlow® SOFTWARE ("SOFTWARE") AND/OR ANY ACCOMPANYING DOCUMENTATION ("DOCUMENTATION") AND/OR THE RELATED SPECIFICATIONS ("SPECIFICATIONS"). YOUR REPRODUCTION OR USE OF THE SOFTWARE AND/OR THE DOCUMENTATION AND/OR THE SPECIFICATIONS CONSTITUTES YOUR ACCEPTANCE OF THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT, YOU MAY NOT REPRODUCE OR IN ANY WAY UTILIZE THE SOFTWARE OR THE DOCUMENTATION OR THE SPECIFICATIONS.
Scripts using sflowtool to analyze traffic. These scripts are easily modified to perform customized traffic studies. Included are:
- ipTrafficMatrix Hourly source/destination IP traffic matrices.
- ipTopTalkers Minute by minute top talking IP sources.
- sflowRRDLoad/sflowRRDChart.cgi Use rrdtool to log and chart sFlow counters.