sFlow Data (20800, 20900)
Description
sFlow Data Converter translates sFlow records into syslog messages 1-to-1. Each sFlow record is converted into a syslog message in the “key=value” format. sFlow Counter syslogs are identified by nfc_id=20800. sFlow Data records have nfc_id=20900. The following configuration is available in NetFlow Optimizer:
- Include sFlow Counter records (default is not to include)
- Included headerLen and headerBytes fields in the syslog output (default is not to include)
Additional information on sFlow specifications could be found here:
http://www.sflow.org/developers/specifications.php
See Appendix 2 for details on what sFlow structures are supported in the current release.
The table below shows a partial list of key values.
Input
sFlow
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | “nfc_id=20800” or “nfc_id=20900” |
| ent | Enterprise ID | <number> |
| fmt | Format | <number> |
| exp_ip | sFlow exporter IP address | <IPv4_address> |
| samplingRate | Sampling rate | <number> |
| inputPort | SNMP index of input interface | <number> |
| outputPort | SNMP index of output interface | <number> |
| [headerLen](1) | Length of Header included in the sample | <number> |
| [headerBytes](1) | Header bytes included in the sample | <string> |
| srcIP | Source IP address | <IPv4_address> |
| dstIP | Destination IP address | <IPv4_address> |
| IPProtocol | Transport Protocol ( TCP = 6, UDP = 17) | <number> |
| IPTOS | IP type of service | <number> |
| TCPSrcPort | Source port number | <number> |
| TCPDstPort | Destination port number | <number> |
| … | [Varies depending on the record type] | … |
(1) This field is optional, and should be enabled in NetFlow Optimizer to be included in the syslog.