sFlow is an open source sampling tool that provides constant traffic flow information on all enabled interfaces simultaneously. sFlow data is sent from the switch by a process called an agent in sFlow parlance. The sFlow data is sent to a collector that usually formats the data into cool-looking charts and graphs while recording and reporting trends for use in diagnostics, troubleshooting, and analysis. sFlow is defined in RFC 3176, and because it’s an open source tool, there are many agents and collectors out there, some of which are free, and some of which cost tens of thousands of dollars. If you’re thinking that this all sounds like Cisco’s NetFlow, you’re right, but sFlow is open source, while NetFlow is Cisco proprietary.

The agent within the switch samples packets from the data flows, and then forwards the headers of those sampled packets to the collector at regular intervals. The sampling is just that, a sample packet from the data flows and not a copy of every packet. The number of packets sampled from the total packets seen is called the sample rate, which can be configured with the default being about 1 in every 65,000 packets. These packets are stored and then sent to the collector at a configurable interval called the polling interval. The default polling interval is two seconds.

Not all packets or flow types are sampled. Packets that are sampled include frames sent to the interfaces or CPU of the switch, routed packets (with certain exceptions), flooded ...