# sflowtool **Repository Path**: tjq01/sflowtool ## Basic Information - **Project Name**: sflowtool - **Description**: https://github.com/sflow/sflowtool - **Primary Language**: Unknown - **License**: Not specified - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2021-03-24 - **Last Updated**: 2021-03-24 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # sflowtool Print binary sFlow feed to ASCII, or forward it to other collectors. This tool receives sFlow data, and generates either a simple-to-parse tagged-ASCII output, or binary output in tcpdump(1) format. It can also generate Cisco NetFlow version 5 datagrams and send them to a destination UDP host:port, or forward the original sFlow feed to a number of additional collectors. Please read the licence terms in ./COPYING. For more details on the sFlow data format, see http://www.sflow.org. # Build from sources ./boot.sh ./configure make sudo make install (Start from ./configure if you downloaded a released version.) # Usage examples If sFlow is arriving on port 6343, you can pretty-print the data like this: % ./sflowtool -p 6343 or get a line-by-line output like this: % ./sflowtool -p 6343 -l or a custom line-by-line output by listing fields like this: % ./sflowtool -p 6343 -L localtime,srcIP,dstIP or a JSON representation like this: % ./sflowtool -p 6343 -J In a typical application, this output would be parsed by an awk or perl script, perhaps to extract MAC->IP address-mappings or to extract a particular counter for trending. The usage might then look more like this: % ./sflowtool -p 6343 | my_perl_script.pl > output Alternatively, you can show packet decodes like this: % ./sflowtool -p 6343 -t | tcpdump -r - To forward Cisco NetFlow v5 records to UDP port 9991 on host collector.mysite.com, the options would be: % ./sflowtool -p 6343 -c collector.mysite.com -d 9991 If you compiled with -DSPOOFSOURCE, then you have the option of "spoofing" the IP source address of the netflow packets to match the IP address(es) of the original sflow agent(s)... % ./sflowtool -p 6343 -c collector.mysite.com -d 9991 -S To replicate the input sflow stream to several collectors, use the "-f host/port" option like this: % ./sflowtool -p 6343 -f localhost/7777 -f localhost/7778 -f collector.mysite.com/6343 # Example Output An example of the pretty-printed output is shown below. Note that every field can be parsed as two space-separated tokens (tag and value). Newlines separate one field from the next. The first field in a datagram is always the "unixSecondsUTC" field, and the first field in a flow or counters sample is always the "sampleSequenceNo" field. In this example, the datagram held two flow-samples and two counters-samples. Comments have been added in <<>> brackets. These are not found in the output. unixSecondsUTC 991362247 <> datagramVersion 2 agent 10.0.0.254 <> sysUpTime 10391000 packetSequenceNo 5219 <> samplesInPacket 4 sampleSequenceNo 9466 <> sourceId 0:0 sampleType FLOWSAMPLE meanSkipCount 10 samplePool 94660 dropEvents 0 inputPort 14 outputPort 16 packetDataTag INMPACKETTYPE_HEADER headerProtocol 1 sampledPacketSize 1014 headerLen 128 headerBytes 00-50-04-29-1B-D9-00-D0-B7-23-B7-D8-08-00-45-00-03-E8-37-44-40-00-40-06-EB-C6-0A-00-00-01-0A-00-00-05-0D-F1-17-70-A2-4C-D2-AF-B1-F0-BF-01-80-18-7C-70-82-E0-00-00-01-01-08-0A-23-BC-42-93-01-A9- dstMAC 005004291bd9 <> srcMAC 00d0b723b7d8 srcIP 10.0.0.1 dstIP 10.0.0.5 IPProtocol 6 TCPSrcPort 3569 TCPDstPort 6000 TCPFlags 24 extendedType ROUTER <> nextHop 129.250.28.33 srcSubnetMask 24 dstSubnetMask 24 sampleSequenceNo 346 <> sourceId 0:92 sampleType COUNTERSSAMPLE statsSamplingInterval 20 counterBlockVersion 1 ifIndex 92 networkType 53 ifSpeed 0 ifDirection 0 ifStatus 0 ifInOctets 18176791 ifInUcastPkts 92270 ifInMulticastPkts 0 ifInBroadcastPkts 100 ifInDiscards 0 ifInErrors 0 ifInUnknownProtos 0 ifOutOctets 40077590 ifOutUcastPkts 191170 ifOutMulticastPkts 1684 ifOutBroadcastPkts 674 ifOutDiscards 0 ifOutErrors 0 ifPromiscuousMode 0 sampleSequenceNo 9467 <> sourceId 0:0 sampleType FLOWSAMPLE meanSkipCount 10 samplePool 94670 dropEvents 0 inputPort 16 outputPort 14 packetDataTag INMPACKETTYPE_HEADER headerProtocol 1 sampledPacketSize 66 headerLen 66 headerBytes 00-D0-B7-23-B7-D8-00-50-04-29-1B-D9-08-00-45-00-00-34-1E-D7-40-00-40-06-07-E8-0A-00-00-05-0A-00-00-01-17-70-0D-F1-B1-F0-BF-01-A2-4C-E3-A3-80-10-7C-70-E2-62-00-00-01-01-08-0A-01-A9-7F-A0-23-BC- dstMAC 00d0b723b7d8 srcMAC 005004291bd9 srcIP 10.0.0.5 dstIP 10.0.0.1 IPProtocol 6 TCPSrcPort 6000 TCPDstPort 3569 TCPFlags 16 extendedType ROUTER nextHop 129.250.28.33 srcSubnetMask 24 dstSubnetMask 24 sampleSequenceNo 346 <> sourceId 0:93 sampleType COUNTERSSAMPLE statsSamplingInterval 30 counterBlockVersion 1 ifIndex 93 networkType 53 ifSpeed 0 ifDirection 0 ifStatus 0 ifInOctets 103959 ifInUcastPkts 448 ifInMulticastPkts 81 ifInBroadcastPkts 93 ifInDiscards 0 ifInErrors 0 ifInUnknownProtos 0 ifOutOctets 196980 ifOutUcastPkts 460 ifOutMulticastPkts 599 ifOutBroadcastPkts 153 ifOutDiscards 0 ifOutErrors 0 ifPromiscuousMode 0 # Other ExtendedTypes If your sFlow agent is running BGP, you may also see GATEWAY extendedType sections like this: extendedType GATEWAY my_as 65001 src_as 0 src_peer_as 0 dst_as_path_len 3 dst_as_path 65000-2828-4908 The SWITCH, USER and URL extendedTypes may also appear. The SWITCH extendedType provides information on input and output VLANs and priorities. The USER extendedType provides information on the user-id that was allocated this IP address via a remote access session (e.g. RADIUS or TACAS). The URL field indicates for an HTTP flow what the original requested URL was for the flow. For more information, see the published sFlow documentation at http://www.sflow.org. # line-by-line csv output If you run sflowtool using the "-l" option then only one row of output will be generated for each flow or counter sample. It will look something like this: [root@server src]# ./sflowtool -l CNTR,10.0.0.254,17,6,100000000,0,2147483648,175283006,136405187,2578019,297011,0,3,0,0,0,0,0,0,0,1 FLOW,10.0.0.254,0,0,00902773db08,001083265e00,0x0800,0,0,10.0.0.1,10.0.0.254,17,0x00,64,35690,161,0x00,143,125,80 The counter samples are indicated with the "CNTR" entry in the first column. The second column is the agent address. The remaining columns are the fields from the generic counters structure (see SFLIf_counters in sflow.h). The flow samples are indicated with the "FLOW" entry in the first column. The second column is the agent address. The remaining columns are: inputPort outputPort src_MAC dst_MAC ethernet_type in_vlan out_vlan src_IP dst_IP IP_protocol ip_tos ip_ttl udp_src_port OR tcp_src_port OR icmp_type udp_dst_port OR tcp_dst_port OR icmp_code tcp_flags packet_size IP_size sampling_rate To request a custom line output, use the -L option, like this: % sflowtool -L localtime,srcIP,dstIP # grep-friendly output The "-g" option causes sflowtool to include contextual information on every line of output. The fields are: agentIP agentSubId datasource_sequenceNo datasource_class datasource_index sampletype_tag elementtype_tag For example, this makes it much easier to extract a particular counter for each agent, accumulate the deltas, and stream it to a time-series database. # JSON output The -J option prints human-readable JSON with a blank line between datagrams. To print more compact JSON with each datagram on one line, use -j instead. --- ---------------------------------------- Neil McKee (neil.mckee@inmon.com) InMon Corp. http://www.inmon.com