How to identify direction of sampled packet in sFlow?

[Kapil Gupta]

Hello,

In case I have tcpdump of sFlow. Is there any way to detect whether sampled packet was from ingress traffic or egress traffic for that interface?

I know one can see the configuration of sFlow for that interface whether ingress/egress sampling is configured. But is there any way to detect by looking at sFlow datagram itself?

Thanks,
Kapil

[Peter Phaal]

On Tue, Jan 9, 2018 at 11:06 PM, Kapil Gupta <kapilgu...@gmail.com> wrote:

In case I have tcpdump of sFlow. Is there any way to detect whether sampled packet was from ingress traffic or egress traffic for that interface?

I know one can see the configuration of sFlow for that interface whether ingress/egress sampling is configured. But is there any way to detect by looking at sFlow datagram itself?

You can determine packet sampling direction by comparing the data source that reported the sample with the ingress/egress port information in the sample. For example, if data source 1 reported a packet sample with ingress port 1 and egress port 3, then it is an ingress packet sample since the data source and the ingress port are the same. 

[Francois Labonte]

 > You can determine packet sampling direction by comparing the data source that reported the sample with the ingress/egress port information in the sample. For example, if data source 1 > reported a packet sample with ingress port 1 and egress port 3, then it is an ingress packet sample since the data source and the ingress port are the same. 

Hi Peter,

I believe that there can still be ambiguity in the direction of sFlow sample in case the packet has both the same ingress and egress port. For example routing on an hairpin where packet comes in the port and gets routed back out the port with new ARP and decremented TTL. The ambiguity is the sFlow sample is that you cannot tell if the packet sample is ingress or egress. I believe it would be good to be able to distinguish in future sFlow specifications.

Thanks,

Francois

[Peter Phaal]

On Thursday, August 1, 2019 at 2:46:20 PM UTC-7, Francois Labonte wrote:

On Wednesday, January 10, 2018 at 8:35:39 AM UTC-8, Kapil Gupta wrote:

In case I have tcpdump of sFlow. Is there any way to detect whether sampled packet was from ingress traffic or egress traffic for that interface?

I know one can see the configuration of sFlow for that interface whether ingress/egress sampling is configured. But is there any way to detect by looking at sFlow datagram itself?

 > You can determine packet sampling direction by comparing the data source that reported the sample with the ingress/egress port information in the sample. For example, if data source 1 > reported a packet sample with ingress port 1 and egress port 3, then it is an ingress packet sample since the data source and the ingress port are the same. 

I believe that there can still be ambiguity in the direction of sFlow sample in case the packet has both the same ingress and egress port. For example routing on an hairpin where packet comes in the port and gets routed back out the port with new ARP and decremented TTL. The ambiguity is the sFlow sample is that you cannot tell if the packet sample is ingress or egress. I believe it would be good to be able to distinguish in future sFlow specifications.

Determining the direction of a packet sample if you have bi-directional sampling enabled on a one armed router port is challenging, but it isn't a situation that commonly comes up. sFlow is typically enabled ingress only on all switches and all switch ports - a configuration strategy that reduces operational complexity, increases scalability, and ensures that all packet paths are observed.

However, if bidirectional sampling is enabled, an sFlow analyzer can determine direction, first by detecting that the packet has been looped (ingress_port == egress_port), and then by examining the MAC addresses from the sampled packet. If the destination MAC belongs to the device then the sample was taken on ingress, if the source MAC address belongs to the device then the sample was taken on egress. 

The list of router MAC addresses is static information that can be gathered via SNMP or an API call to the device. It may also be possible to determine device MACs by examining TTL, MAC, and IP address information from routed packets, or by looking for traffic that terminates at the router (BGP, LLDP, STP, etc).