Net::sFlow - decode sFlow datagrams

use Net::sFlow;
use IO::Socket::INET;

my $sock = IO::Socket::INET->new( LocalPort => '6343',
                                  Proto     => 'udp')
                             or die "Can't bind : $@\n";

while ($sock->recv($packet,1548)) {
  &processPacket($packet);
}
die "Socket recv: $!";


sub processPacket {

  my $sFlowPacket = shift;

  # now we actually call the Net::sFlow::decode() function
  my ($sFlowDatagramRef, $sFlowSamplesRef, $errorsRef) = Net::sFlow::decode($sFlowPacket);

  # print errors
    foreach my $error (@{$errorsRef}) {
    warn "$error";
  }

  # print sflow data
  print "===Datagram===\n";
  print "sFlow version: $sFlowDatagramRef->{sFlowVersion}\n";
  print "datagram sequence number: $sFlowDatagramRef->{datagramSequenceNumber}\n";

  foreach my $sFlowSample (@{$sFlowSamplesRef}) {
    print "\n";
    print "---Sample---\n";
    print "sample sequence number: $sFlowSample->{sampleSequenceNumber}\n";
  }

}

The sFlow module provides a mechanism to parse and decode sFlow datagrams. It supports sFlow version 2/4 (RFC 3176 - http://www.ietf.org/rfc/rfc3176.txt) and sFlow version 5 (Memo - http://sflow.org/sflow\_version\_5.txt).

The module's functionality is provided by a single (exportable) function, decode().

For more examples have a look into the 'examples' directory.

($datagram, $samples, $error) = Net::sFlow::decode($udp_data);

Returns a HASH reference containing the datagram data, an ARRAY reference with the sample data (each array element contains a HASH reference for one sample) and in case of an error a reference to an ARRAY containing the error messages.

• $datagram

  A HASH reference containing information about the sFlow datagram, with the following keys:

    sFlowVersion
    AgentIpVersion
    AgentIp
    datagramSequenceNumber
    agentUptime
    samplesInPacket
  

  In the case of sFlow v5, there is an additional key:

    subAgentId
  

• $samples

  Reference to a list of HASH references, each one representing one sample. Depending on the sFlow version and type of hardware where the data comes from (router, switch, etc.), the hash contains the following additional keys:

  In case of sFlow <= 4:

    sampleType
    sampleSequenceNumber
    sourceIdType
    sourceIdIndex
  

  If it's a sFlow <= 4 flowsample you will get the following additional keys:

    samplingRate
    samplePool
    drops
    inputInterface
    outputInterface
    packetDataType
    extendedDataInSample
  

  If it's a sFlow <= 4 countersample you will get these additional keys:

    counterSamplingInterval
    countersVersion
  

  In case of sFlow >= 5 you will first get enterprise, format and length information:

    sampleTypeEnterprise
    sampleTypeFormat
    sampleLength
  

  If the sample is a Foundry ACL based sample (enterprise == 1991 and format == 1) you will receive the following information:

    FoundryFlags
    FoundryGroupID
  

  In case of a flowsample (enterprise == 0 and format == 1):

    sampleSequenceNumber
    sourceIdType
    sourceIdIndex
    samplingRate
    samplePool
    drops
    inputInterface
    outputInterface
    flowRecordsCount
  

  If it's an expanded flowsample (enterprise == 0 and format == 3) you will get these additional keys instead of inputInterface and outputInterface:

    inputInterfaceFormat
    inputInterfaceValue
    outputInterfaceFormat
    outputInterfaceValue
  

  In case of a countersample (enterprise == 0 and format == 2) or an expanded countersample (enterprise == 0 and format == 4):

    sampleSequenceNumber
    sourceIdType
    sourceIdIndex
    counterRecordsCount
    counterDataLength
  

  Depending on the hardware you can get the following additional keys:

  Header data (sFlow format):

    HEADERDATA
    HeaderProtocol
    HeaderFrameLength
    HeaderStrippedLength
    HeaderSizeByte
    HeaderSizeBit
    HeaderBin
  

  Additional Header data decoded from the raw packet header:

    HeaderEtherSrcMac
    HeaderEtherDestMac
    HeaderType (ether type)
    HeaderDatalen (of the whole packet including ethernet header)
  

  Ethernet frame data:

    ETHERNETFRAMEDATA
    EtherMacPacketlength
    EtherSrcMac
    EtherDestMac
    EtherPackettype
  

  IPv4 data:

    IPv4DATA
    IPv4Packetlength
    IPv4NextHeaderProtocol
    IPv4srcIp
    IPv4destIp
    IPv4srcPort
    IPv4destPort
    IPv4tcpFlags
    IPv4tos
  

  IPv6 data:

    IPv6DATA
    IPv6Packetlength
    IPv6NextHeaderProto
    IPv6srcIp
    IPv6destIp
    IPv6srcPort
    IPv6destPort
    IPv6tcpFlags
    IPv6Priority
  

  Switch data:

    SWITCHDATA
    SwitchSrcVlan
    SwitchSrcPriority
    SwitchDestVlan
    SwitchDestPriority
  

  Router data:

    ROUTERDATA
    RouterIpVersionNextHopRouter
    RouterIpAddressNextHopRouter
    RouterSrcMask
    RouterDestMask
  

  Gateway data:

    GATEWAYDATA
    GatewayIpVersionNextHopRouter (only in case of sFlow v5)
    GatewayIpAddressNextHopRouter (only in case of sFlow v5)
    GatewayAsRouter
    GatewayAsSource
    GatewayAsSourcePeer
    GatewayDestAsPathsCount
  
    GatewayDestAsPaths (arrayreference)
      each enty contains a hashreference:
        asPathSegmentType
        lengthAsList
        AsPath (arrayreference, asNumbers as entries)
  
    GatewayLengthCommunitiesList (added in sFlow v4)
    GatewayCommunities (arrayreference, added in sFlow v4)
      each enty contains a community (added in sFlow v4)
  
    localPref
  

  User data:

    USERDATA
    UserSrcCharset (only in case of sFlow v5)
    UserLengthSrcString
    UserSrcString
    UserDestCharset (only in case of sFlow v5)
    UserLengthDestString
    UserDestString
  

  Url data (added in sFlow v3):

    URLDATA
    UrlDirection
    UrlLength
    Url
    UrlHostLength (only in case of sFlow v5)
    UrlHost (only in case of sFlow v5)
  

  The following keys can be only available in sFlow v5:

  Mpls data:

    MPLSDATA
    MplsIpVersionNextHopRouter
    MplsIpAddressNextHopRouter
    MplsInLabelStackCount
    MplsInLabelStack (arrayreference containing MplsInLabels)
    MplsOutLabelStackCount
    MplsOutLabelStack (arrayreference containing MplsOutLabels)
  

  Nat data:

    NATDATA
    NatIpVersionSrcAddress
    NatSrcAddress
    NatIpVersionDestAddress
    NatDestAddress
  

  Mpls tunnel:

    MPLSTUNNEL
    MplsTunnelNameLength
    MplsTunnelName
    MplsTunnelId
    MplsTunnelCosValue
  

  Mpls vc:

    MPLSVC
    MplsVcInstanceNameLength
    MplsVcInstanceName
    MplsVcId
    MplsVcLabelCosValue
  

  Mpls fec:

    MPLSFEC
    MplsFtnDescrLength
    MplsFtnDescr
    MplsFtnMask
  

  Mpls lpv fec:

    MPLSLPVFEC
    MplsFecAddrPrefixLength
  

  Vlan tunnel:

    VLANTUNNEL
    VlanTunnelLayerStackCount
    VlanTunnelLayerStack (arrayreference containing VlanTunnelLayer entries)
  

  The following keys are also available in sFlow < 5:

  Counter generic:

    COUNTERGENERIC
    ifIndex
    ifType
    ifSpeed
    ifDirection
    ifAdminStatus
    ifOperStatus
    ifInOctets
    ifInUcastPkts
    ifInMulticastPkts
    ifInBroadcastPkts
    ifInDiscards
    ifInErrors
    ifInUnknownProtos
    ifOutOctets
    ifOutUcastPkts
    ifOutMulticastPkts
    ifOutBroadcastPkts
    ifOutDiscards
    ifOutErrors
    ifPromiscuousMode
  

  Counter ethernet:

    COUNTERETHERNET
    dot3StatsAlignmentErrors
    dot3StatsFCSErrors
    dot3StatsSingleCollisionFrames
    dot3StatsMultipleCollisionFrames
    dot3StatsSQETestErrors
    dot3StatsDeferredTransmissions
    dot3StatsLateCollisions
    dot3StatsExcessiveCollisions
    dot3StatsInternalMacTransmitErrors
    dot3StatsCarrierSenseErrors
    dot3StatsFrameTooLongs
    dot3StatsInternalMacReceiveErrors
    dot3StatsSymbolErrors
  

  Counter tokenring:

    COUNTERTOKENRING
    dot5StatsLineErrors
    dot5StatsBurstErrors
    dot5StatsACErrors
    dot5StatsAbortTransErrors
    dot5StatsInternalErrors
    dot5StatsLostFrameErrors
    dot5StatsReceiveCongestions
    dot5StatsFrameCopiedErrors
    dot5StatsTokenErrors
    dot5StatsSoftErrors
    dot5StatsHardErrors
    dot5StatsSignalLoss
    dot5StatsTransmitBeacons
    dot5StatsRecoverys
    dot5StatsLobeWires
    dot5StatsRemoves
    dot5StatsSingles
    dot5StatsFreqErrors
  

  Counter vg:

    COUNTERVG
    dot12InHighPriorityFrames
    dot12InHighPriorityOctets
    dot12InNormPriorityFrames
    dot12InNormPriorityOctets
    dot12InIPMErrors
    dot12InOversizeFrameErrors
    dot12InDataErrors
    dot12InNullAddressedFrames
    dot12OutHighPriorityFrames
    dot12OutHighPriorityOctets
    dot12TransitionIntoTrainings
    dot12HCInHighPriorityOctets
    dot12HCInNormPriorityOctets
    dot12HCOutHighPriorityOctets
  

  Counter vlan:

    COUNTERVLAN
    vlan_id
    octets
    ucastPkts
    multicastPkts
    broadcastPkts
    discards
  

  Counter lag:

    COUNTERLAG
    dot3adAggPortActorSystemID
    dot3adAggPortPartnerOperSystemID
    dot3adAggPortAttachedAggID
    dot3adAggPortActorAdminState
    dot3adAggPortActorOperState
    dot3adAggPortPartnerAdminState
    dot3adAggPortPartnerOperState
    dot3adAggPortStatsLACPDUsRx
    dot3adAggPortStatsMarkerPDUsRx
    dot3adAggPortStatsMarkerResponsePDUsRx
    dot3adAggPortStatsUnknownRx
    dot3adAggPortStatsIllegalRx
    dot3adAggPortStatsLACPDUsTx
    dot3adAggPortStatsMarkerPDUsTx
    dot3adAggPortStatsMarkerResponsePDUsTx
  

  Counter processor (only in sFlow v5):

    COUNTERPROCESSOR
    cpu5s
    cpu1m
    cpu5m
    memoryTotal
    memoryFree
  

  Counter HTTP:

    COUNTERHTTP
    methodOptionCount
    methodGetCount
    methodHeadCount
    methodPostCount
    methodPutCount
    methodDeleteCount
    methodTraceCount
    methodConnectCount
    methodOtherCount
    status1xxCount
    status2xxCount
    status3xxCount
    status4xxCount
    status5xxCount
    statusOtherCount
  

• $error

  Reference to a list of error messages.

The decode() function will blindly attempt to decode the data you provide. There are some tests for the appropriate values at various places (where it is feasible to test - like enterprises, formats, versionnumbers, etc.), but in general the GIGO principle still stands: Garbage In / Garbage Out.

sFlow v4 http://www.ietf.org/rfc/rfc3176.txt

sFlow v5 http://sflow.org/sflow\_version\_5.txt

Math::BigInt

Elisa Jasinska elisa@bigwaveit.org

Please send comments or bug reports to elisa@bigwaveit.org and/or sflow@ams-ix.net

Copyright (c) 2006 - 2015 AMS-IX B.V.

This package is free software and is provided "as is" without express or implied warranty. It may be used, redistributed and/or modified under the terms of the Perl Artistic License (see http://www.perl.com/perl/misc/Artistic.html)