The traffic data obtained is inaccurate.(I apologize for my limited English. I used AI for translation, so I appreciate your help.)
67 views
Skip to first unread message
王泽
Jun 13, 2025, 9:47:37 AMJun 13
to sFlow-RT
I tried using the API of sflowrt to fetch data. I attempted two methods: "ipsource,ipdestination" and "ipsource" to retrieve the data, but I noticed that for the same IP, the merged data from the "ipsource,ipdestination" method is smaller than that from the "ipsource" method. May I ask if there is an issue with the parameter settings?
==============
{"value":"bytes","keys":"ipsource,ipdestination","filter":"'agent'='XX.XX.XX.XX'","fs":"_SEP_","n":"100000","t":"2","activeTimeout":"300"}
{"value":"bytes","keys":"ip6source,ip6destination","filter":"'agent'='XX.XX.XX.XX'","fs":"_SEP_","n":"100000","t":"2","activeTimeout":"300"}
{"value":"bytes","keys":"ipsource","filter":"'agent'='XX.XX.XX.XX'","fs":"_SEP_","n":"100000","t":"2","activeTimeout":"300"}
{"value":"bytes","keys":"ip6source","filter":"'agent'='XX.XX.XX.XX'","fs":"_SEP_","n":"100000","t":"2","activeTimeout":"300"}
{"value":"bytes","keys":"ip6source,ip6destination","filter":"'agent'='XX.XX.XX.XX'","fs":"_SEP_","n":"100000","t":"2","activeTimeout":"300"}
{"value":"bytes","keys":"ipsource","filter":"'agent'='XX.XX.XX.XX'","fs":"_SEP_","n":"100000","t":"2","activeTimeout":"300"}
{"value":"bytes","keys":"ip6source","filter":"'agent'='XX.XX.XX.XX'","fs":"_SEP_","n":"100000","t":"2","activeTimeout":"300"}
==============
agent IP ipsource,ipdestination ipsource
tt80G XXX. 1.05 3.75
tt80G XXX.XXX.XX.XX 0.50 2.11
tt80G XXX.XXX.XX.XX 0.84 4.43
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.46 3.85
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.04 0.79
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.57 7.04
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.30 5.28
tt80G XXX.XXX.XX.XX 0.44 1.31
tt80G XXX.XXX.XX.XX 0.61 3.67
tt80G XXX.XXX.XX.XX 1.00 4.65
tt80G XXX.XXX.XX.XX 0.16 2.07
tt80G XXX.XXX.XX.XX 0.21 2.68
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.72 4.37
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.20 5.23
tt80G XXX.XXX.XX.XX 0.52 3.42
tt80G XXX.XXX.XX.XX 0.46 2.96
tt80G XXX.XXX.XX.XX 0.02 0.62
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.16 3.00
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.07 2.59
tt80G XXX.XXX.XX.XX 0.02 0.23
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.51 4.91
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.27 5.29
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.14 4.27
v4singe:187 v6singe:90 v4all:12 v4all:12
tianjing80G v4:31.89 v6:46.61 asum:78.50 sum:9.25
tt80G XXX. 1.05 3.75
tt80G XXX.XXX.XX.XX 0.50 2.11
tt80G XXX.XXX.XX.XX 0.84 4.43
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.46 3.85
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.04 0.79
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.57 7.04
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.30 5.28
tt80G XXX.XXX.XX.XX 0.44 1.31
tt80G XXX.XXX.XX.XX 0.61 3.67
tt80G XXX.XXX.XX.XX 1.00 4.65
tt80G XXX.XXX.XX.XX 0.16 2.07
tt80G XXX.XXX.XX.XX 0.21 2.68
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.72 4.37
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.20 5.23
tt80G XXX.XXX.XX.XX 0.52 3.42
tt80G XXX.XXX.XX.XX 0.46 2.96
tt80G XXX.XXX.XX.XX 0.02 0.62
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.16 3.00
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.07 2.59
tt80G XXX.XXX.XX.XX 0.02 0.23
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.51 4.91
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.27 5.29
tt80G XXXX:XXXX:XXXX:XX:XXX.XXX.XX.XX 0.14 4.27
v4singe:187 v6singe:90 v4all:12 v4all:12
tianjing80G v4:31.89 v6:46.61 asum:78.50 sum:9.25
Peter Phaal
Jun 13, 2025, 10:13:17 AMJun 13
to sFlow-RT
sFlow-RT keeps a small sorted flow cache for each switch port to identify the topN flows. In your flow definitions you set n to 100000, but that will be reduced to the maximum value of 20, see Defininig Flows. When you query activeflows, you can specify a larger n and flow data from all the interfaces will be combined into a sorted list. Given the small number of entries maintained, it is expected that the more keys you add to the flow definition, the smaller the fraction of total traffic will be represented in the top 20. Conversely, if you reduce the number of keys to zero, i.e. {keys: "", value:"bytes", t:2} you will get an accurate total so you can compute the fraction of traffic represented by more detailed flow records and the fraction in the tail of the list that was truncated and not reported.
If you want to log all flows, you can set log:true and sum the resulting flow records. You can access the stream of flow records in an application script using sFlow-RT APIs, or you can export them via IPFIX.
王泽
Jun 16, 2025, 9:38:22 AMJun 16
to sFlow-RT
Dear Author,
Hello. I defined the flow using the log method and obtained flow information via the API. However, when performing merged calculations, I still cannot obtain bandwidth data close to the actual values. My usage is as follows:
(Note: The translation maintains the technical context while adapting it to natural English phrasing. If there are specific terms like "log" or "bandwidth" that should be translated differently in your field, please provide additional context.)
Finally, the accumulated value I obtained is 84,099,072, while the total capacity of my current node is 62 Gbps. I'm not sure if my usage method is correct.
Additionally, if I want to retrieve counter values consistent with the switch's, should I set the value parameter to frames? Is this value continuously accumulated, or only incremented during the timeout period and reset to zero after timeout?
(Note: Clarify whether the counter is persistent (like typical switch counters) or resets after each timeout interval.)
====================
PUT /flow/log/json
{
"log": true,
"keys": "ipsource,ipdestination",
"activeTimeout": 60,
"value": "bytes",
"fs": "_to_",
"filter": "agent=XXX.XXX.XXX.XXX"
}
===================
GET /flow/json
{
"all": {
"t": 2,
"log": true,
"keys": "ipsource,ipdestination",
"activeTimeout": 60,
"value": "bytes",
"fs": "_to_",
"n": 5
},
"log": {
"filter": "agent=XXX.XXX.XXX.XXX",
"t": 2,
"log": true,
"keys": "ipsource,ipdestination",
"activeTimeout": 60,
"value": "bytes",
"fs": "_to_",
"n": 5
}
}
=====================================
get /flows/json?name=log&maxFlows=1000000
[
{
"flowKeys": "xxx.xxx.xxx.xxx_to_123.117.132.94",
"agent": "xxx.xxx.xxx.xxx",
"name": "log",
"start": 1750080535935,
"end": 1750080535975,
"dataSource": "61",
"value": 6217728,
"flowID": -2037912100
},
{
"flowKeys": "xxx.xxx.xxx.xxx_to_111.32.40.141", "agent": "xxx.xxx.xxx.xxx", "name": "log",
"start": 1750080535954,
"end": 1750080535975,
"dataSource": "61",
"value": 6135808,
"flowID": -2037912101
},
....
]
{
"flowKeys": "xxx.xxx.xxx.xxx_to_123.117.132.94",
"agent": "xxx.xxx.xxx.xxx",
"name": "log",
"start": 1750080535935,
"end": 1750080535975,
"dataSource": "61",
"value": 6217728,
"flowID": -2037912100
},
{
"flowKeys": "xxx.xxx.xxx.xxx_to_111.32.40.141", "agent": "xxx.xxx.xxx.xxx", "name": "log",
"start": 1750080535954,
"end": 1750080535975,
"dataSource": "61",
"value": 6135808,
"flowID": -2037912101
},
....
]
Peter Phaal
Jun 16, 2025, 10:07:18 AMJun 16
to sFlow-RT
The sFlow agent reports standard interface counters as well as packet samples. You can use the sflow-test app to compare counters and flows to verify that the switch is correctly reporting traffic.
The values in the logged flow records are the total for the flow between the start and end times. If you want to log both bytes and frames, you can set value:'bytes', values:'frames' in your flow definitions.
王泽
Jun 16, 2025, 10:42:13 AMJun 16
to sFlow-RT
Currently, I have configured sFlow sampling on the uplink port's egress (outbound) direction of the switch. I want to measure the bandwidth of egress traffic from devices connected downstream of the switch. However, the results I obtained using the method above deviate significantly from expectations.
Please forgive my obtuseness—I've been struggling with this requirement for two weeks now and still haven't been able to achieve accurate results.
Reply all
Reply to author
Forward
0 new messages