Collecting Switch Flow Statistics

[phamori...@gmail.com]

Hello.

I'm new to sFlow and I downloaded a version and followed this tutorial to install and used it: [http://blog.sflow.com/2013/05/controlling-large-flows-with-openflow.html]

To collect the flow statistics from the switches, I'm using Flow Statistics messages sent by the controller. I would like to know if sFlow can get each flow statistics from each switch and show me these statistics.

Thank you.    

[Peter Phaal]

You can use sFlow to replace/complement the OpenFlow flow statistics polling you are currently performing. Enable sFlow on each switch and port and then direct your queries to the sFlow-RT analyzer. 

Since you are new to sFlow you might want to take a look at the following presentation, it provides an overview of sFlow and discusses how to incorporate measurement in SDN applications (like DDoS mitigation, load balancing etc):

http://blog.sflow.com/2013/06/bay-area-network-virtualization-talk.html

Peter 

[phamori...@gmail.com]

Ok.

I configured everything and seems to be working.

But I have some problems, I'm not able to see the flows on each switch, only a general information about the flow. I'm using Iperf to send generate traffic between two hosts, these are separated by two switches. I'm generating traffic twice, one in the host UDP port X and the other in the host UDP port Y, since the match are defined by the IP SRC, IP DST, UDP SRC, UDP DST, the sFLOW-RT should show 4 flows (2 for each switch) and not 1.

Basically what I'm trying to do is the same as Flow Statistics Message, but I want to have the information on each switch and each flow.

I'm using mininet and all that I configure was this:

sh sudo ovs-vsctl -- --id=@sflow create sflow agent=eth1  target=\"192.168.56.1:6343\" sampling=10 polling=20 -- -- set bridge s1 sflow=@sflow

sh sudo ovs-vsctl -- --id=@sflow create sflow agent=eth1  target=\"192.168.56.1:6343\" sampling=10 polling=20 -- -- set bridge s2 sflow=@sflow

Thank you.

[Peter Phaal]

Mininet uses a single instance of Open vSwitch. Each Mininet switch is
a different OpenFlow datapath. You need to set sFlow on all the
Mininet switches in a single command, your second command turned off
sFlow on s1.

ovs-vsctl -- --id=@sflow create sflow agent=eth1 target=\"192.168.56.1:6343\" \
sampling=10 polling=20 -- \

-- set bridge s1 sflow=@sflow \

-- set bridge s2 sflow=@sflow

> --
> You received this message because you are subscribed to the Google Groups
> "sFlow" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sflow+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Pedro Henrique]

Hi.

I did what you said above and it worked. I installed the SFlowTrend, then I could notice more information in the network. I didn't understand why I have interfaces 23,25,27,30 if I have only two switches with 2 ports only. Maybe I'm doing something wrong, but I think SFlowTrend offers more information than SFlow-RT.

Then, I created another topology with 4 switches and 2 hosts.

Like this: H1 ------- SW1 ------ SW2 --- SW3--- SW4 --- H2  

When I send TCP traffic between H1 and H2 using Iperf, it's possible to see 8 ports(10G) sending traffic in SFlowTrend and two flows, the other 3 ports(100M) are not receiving or sending (0% utlization) traffic. The ports are also numbered from 31 to 44 ... I really didn't understand, since my switches don't have these interfaces.

When I use SFlow-RT with the same topology I can see the two flows, but not the number of traffic passing in each flow of the switch. 

I would like to know the amount of traffic passing in each flow of the switch per second...

Like this:

Second 5, Flow: X                Second 6, Flow: X

SW1 -> 100 Mbs / s              SW1 -> 102 Mbs / s

SW2 -> 102 Mbs / s              SW2 -> 105 Mbs / s

SW3 -> 108 Mbs / s              SW3 -> 101 Mbs / s

SW4 -> 110 Mbs / s              SW2 -> 105 Mbs / s

Command used in mininet:

sh ovs-vsctl -- --id=@sflow create sflow agent=eth1 target=\"192.168.56.1:6343\" sampling=10 polling=20 -- -- set bridge s1 sflow=@sflow -- set bridge s2 sflow=@sflow -- set bridge s3 sflow=@sflow -- set bridge s4 sflow=@sflow

Is something related to this: http://127.0.0.1:8008/flows/json?

Thanks.

[Peter Phaal]

OpenFlow and sFlow have different ways to identifying switches and
ports. While your topology in Mininet has 4 switches, there is only 1
instance of Open vSwitch and 1 switch as far as sFlow is concerned.
The extras/indexToPort.py script that ships with sFlow-RT provides a
way to map the ifIndex numbers that sFlow reports to OpenFlow datapath
and port IDs.

If you want to see flow data in sFlow-RT, you need to first configure
the flow caches:

http://blog.sflow.com/2013/08/restflow.html

[Pedro Henrique]

Got it. I followed the page you mentioned and it works.

I created this flow cache:

curl -H "Content-Type:application/json" -X PUT --data "{keys:'ipsource,ipdestination,tcpsourceport,tcpdestinationport', value:'bytes', log:true}" http://127.0.0.1:8008/flow/tcp/json

And now I can access the flows, using this command.

http://127.0.0.1:8008/flows/json?maxFlows=4&name=tcp

Ok... I'm using a topology with 2 switches, 2 hosts and I think it's working. Take a look:

[
 {
  "agent": "192.168.56.120",
  "dataSource": "19",
  "end": 1391779971349,
  "flowID": 769,
  "flowKeys": "10.0.0.2,10.0.0.1,5001,39640",
  "name": "tcp",
  "start": 1391779911282,
  "value": 4622798.9265738055
 },
 {
  "agent": "192.168.56.120",
  "dataSource": "22",
  "end": 1391779971349,
  "flowID": 768,
  "flowKeys": "10.0.0.2,10.0.0.1,5001,39640",
  "name": "tcp",
  "start": 1391779911303,
  "value": 4611028.287888947
 },
 {
  "agent": "192.168.56.120",
  "dataSource": "21",
  "end": 1391779971271,
  "flowID": 767,
  "flowKeys": "10.0.0.1,10.0.0.2,39640,5001",
  "name": "tcp",
  "start": 1391779911248,
  "value": 8.339224087560749E9
 },
 {
  "agent": "192.168.56.120",
  "dataSource": "17",
  "end": 1391779967745,
  "flowID": 766,
  "flowKeys": "10.0.0.1,10.0.0.2,39640,5001",
  "name": "tcp",
  "start": 1391779907738,
  "value": 8.319268933611224E9
 }
]

Some doubts...
Probably the value is the amount of traffic passing in the flow right now, during the minute or another thing?
When I try to refresh the page, the traffic is not being refreshed, why? 

[Peter Phaal]

The flows aren't changing because you are polling for completed flow
records. To get the active flows, you should use the metric, dump, or
activeflows queries.

[Pedro Henrique]

It worked. Thank you so much!

I was doing some searching on the web and found this thread about mapping the openvswitch switch ports to ifindex. (https://groups.google.com/forum/#!msg/sflow/UXK6REbrkYI/WoZnQm2vzdUJ)

Since this thread is from last year, I would like to know if there is a new way to map the ports...  

[Pedro Henrique]

I executed this file indexToPort.py, but I'm receiving this result "{ }".

I'm running my Mininet in VirtualBox and acessing it remotely via the terminal. I cleaned my mininet topology using "sudo mn -c", then created a new topology and executed all the commands needed to send the data from the switches to SFlow-RT . After this I executed the file indexToPort.py, but the answer was "{ }". 

Do I need to install SFlow-RT in mininet? Because when I execute the command I'm probably not acessing the Mininet Virtual Machine, only my physical host... 

Thanks.

[Peter Phaal]

You need to run the indexToPort.py script on the Mininet virtual
machine. I find it easiest to install sFlow-RT on the Mininet virtual
machine (along with the OpenFlow controller). It simplifies the
configurations and avoid issues with firewalls etc.

On Sat, Feb 8, 2014 at 5:11 PM, Pedro Henrique

[Pedro Henrique]

It worked, thanks.

Please correct me if I'm wrong, the switches are sending the data (probably once a second) to the agent that sends to the collector. The counters are incremented when there is a match in the flow table or when the traffic enter the interface?

[Peter Phaal]

The sFlow agent sends two types of data:
1. periodic interface counter updates (by default, every 30 seconds
updates are sent to the collector)
2. randomly sampled packet headers (combined with information on how
the switch forwarded the packets) are sent immediately to the
collector.

The collector maintains the flow cache, calculates traffic rates, and
generates threshold events.

On Mon, Feb 10, 2014 at 6:29 AM, Pedro Henrique

[Pedro Henrique]

Using this command I can access the information of the flows I've created. http://127.0.0.1:8008/dump/ALL/udp/json

Like this:

[
 {
  "agent": "192.168.56.120",
  "dataSource": "3",
  "lastUpdate": 0,
  "metricName": "udp",
  "metricValue": 1.3000075155298363E7,
  "topKeys": [{
   "key": "10.0.0.1,10.0.0.2,37925,5001",
   "lastUpdate": 0,
   "value": 1.3000075155298363E7
  }]
 },
 {
  "agent": "192.168.56.120",
  "dataSource": "7",
  "lastUpdate": 8,
  "metricName": "udp",
  "metricValue": 1.3165422906452058E7,
  "topKeys": [{
   "key": "10.0.0.1,10.0.0.2,37925,5001",
   "lastUpdate": 8,
   "value": 1.3165422906452058E7
  }]
 } 

]

I think I'm not understanding this so much... The dataSource is the ingress port of the switch for that flow, but the "value field" is the amount of traffic passing through the switch or entering in the switch's ingress port?

Thanks again. 

[Peter Phaal]

Most sFlow implementations perform ingress sampling, but egress, or
bi-directional sampling are also possible. In the case of a
bi-directional sampling data source, you can use the filter
"direction=ingress" when you define the flow to select ingress traffic
only.

It looks like your "udp" flow is tracking
ipsource,ipdestination,udpsourceport,udpdestinationport. In this case
the amount of traffic being reported as entering the switch's ingress
port is the same as the amount of traffic associated with the flow
that passes through the switch (unless the flow is dropped by the
switch - you could include the following filter
"outputifindex!=discard" to prevent discarded traffic from being
considered). Normally you would enable sFlow on all switches and
ports, so you will also see the egress traffic as ingress traffic on
the upstream switch.

On Sun, Feb 16, 2014 at 5:46 AM, Pedro Henrique

[Pedro Henrique]

Ok. It seems that I configured only the ingress port sampling. Doing some search here and I didn't find how to enable egress port (or both) sampling on Mininet. How can I do this? 

I'm using this command to configure Sflow on the switches:

sh sudo ovs-vsctl -- --id=@sflow create sflow agent=eth1 target=\"192.168.56.1:6343\" sampling=10 polling=20 -- -- set bridge s1 sflow=@sflow -- set bridge s2 sflow=@sflow

[Peter Phaal]

Open vSwitch performs ingress sampling - you can track the ingress /
egress packet paths with sFlow-RT by including
inputifindex,outputifindex in your flow definition, e.g.
keys:'inputifindex,outputifindex,ipsource,ipdestination,tcpsourceport,tcpdestinationport'

Since packets pass through a switch, you will see all packet paths if
you enable sFlow on all ports irrespective of the sampling direction
(ingress, egress, bi-directional).

On Mon, Feb 17, 2014 at 8:25 AM, Pedro Henrique

[Pedro Henrique]

Got it. The reason that I can't see the traffic passing through the egress port is because OpenvSwitch performs ingress sampling.

For example:

H1 ----(Port 1) SW (Port2) ---- H2

When I send an UDP traffic (H1 to H2) with Iperf I can see the traffic passing through "Port 1" , but I can't see the traffic passing through "Port 2", the reason for this is because Openvswitch perfoms ingress sampling.

In the example above, if I type: http://127.0.0.1:8008/dump/ALL/udp/json, I'll see the Port 1 (dataSource) there, but not Port 2.

Am I right? 

The reason that I asked you about egress interface is because the ingress traffic will not always be like the egress traffic, because the switch can drop some packets or the packets can enter in a queue, for example.

[Pedro Henrique]

Hi again.

I installed Sflow-RT on Mininet, generated a topology with it and I'm trying to run Sflow on a Virtual Host. Until now, nothing seems to work.

Something like this: (All generated by Mininet)

             H3 (Collector)

              |

H1 --- OVS1 --- OVS2 --- H2

I'm trying to run Sflow-RT on H3 and it is definitely running, but I can see no data arriving to H3. 

This is my script: sh sudo ovs-vsctl -- --id=@sflow create sflow agent=s1-eth3 target=\"10.0.20.20:6343\" sampling=10 polling=20 -- -- set bridge s1 sflow=@sflow -- set bridge s2 sflow=@sflow

Is this supposed to work?

>> >> >> >>> &g

...

[Peter Phaal]

Mininet creates an isolated network containing the simulated switches
and hosts. I don't believe there is any way for sFlow datagrams from
Open vSwitch to reach a Mininet host. You should run sFlow-RT outside
of Mininet (this is the same setup you would have if you were using an
external OpenFlow controller). The following article gives an example:

http://blog.sflow.com/2013/05/controlling-large-flows-with-openflow.html

On Tue, Apr 8, 2014 at 4:37 PM, Pedro Henrique

> --
> You received this message because you are subscribed to the Google Groups
> "sFlow" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sflow+un...@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

[Pedro Henrique]

Thanks.

I'm having a problem and I really don't know how to solve this.

I installed Mininet on my Physical Host (No Virtual Machine).

I also generated a topology like this using Mininet:

H1 --- OVS1 --- OVS2 --- H2

I'm sending a traffic from H1 to H2, using Iperf.

My physical Host is sending Sflow Traffic to the collector, but the collector (using Rest API) is showing me a different Data Source compared to the "indextoPort.py".

Rest API:

[
 {
  "agent": "10.0.0.100",
  "dataSource": "2.1000",
  "lastUpdate": 2,
  "metricName": "udp",
  "metricValue": 1.3196068224561417E7,
  "topKeys": [
   {
    "key": "10.0.20.10,10.0.20.20,43130,5001",
    "lastUpdate": 2,
    "value": 1.3196068224561417E7
   },
   {
    "key": "0.0.0.0,255.255.255.255,68,67",
    "lastUpdate": 16427,
    "value": 1.4938231142276044
   }
  ]
 }

 {
  "agent": "10.0.0.100",
  "dataSource": "2.1001",
  "lastUpdate": 3,
  "metricName": "udp",
  "metricValue": 1.3867384534219673E7,
  "topKeys": [
   {
    "key": "10.0.20.10,10.0.20.20,43130,5001",
    "lastUpdate": 3,
    "value": 1.3867384534219673E7
   },
   {
    "key": "0.0.0.0,255.255.255.255,68,67",
    "lastUpdate": 12216,
    "value": 8.240292363362695
   }
  ]
 }

indextoPort.py

{"13": {"switch": "ovs", "port": "ovs-system"}, "38": {"switch": "s1", "port": "s1-eth1"}, "43": {"switch": "s2", "port": "s2-eth3"}, "40": {"switch": "s2", "port": "s2-eth2"}, "36": {"switch": "s2", "port": "s2-eth1"}, "41": {"switch": "s1", "port": "s1-eth2"}}

Why is happening this?

[Peter Phaal]

Are you running Mininet 2.1? I believe it uses a newer version of Open
vSwitch. The sFlow data sources changed from port based to datapath
based and that looks like what you are seeing "2.1001". You can
explicitly add the ifindex number to flow definition by including
inputifindex,outputifindex in your flow keys. You can then use the
ifindex numbers to lookup the Mininet switches and ports for the flow.

On Wed, Apr 9, 2014 at 10:54 AM, Pedro Henrique

[Pedro Henrique]

It seems to be working, thank you so much!

Is there a way to show only "values" bigger than 1? For example, I don't want that values similiar to

"value": 3.9976194902333083E-22 appears on my Rest Api. In the case below, the flow 
"key": "1,5,10.0.0.101,200.131.206.30,26340,53" will not appear on my Rest API.
  "topKeys": [
   {
    "key": "1,5,10.0.0.100,10.0.0.7,35993,6343",
    "lastUpdate": 241,
    "value": 310303.26716923673
   },
   {
    "key": "1,5,10.0.0.101,10.0.0.7,43841,6343",
    "lastUpdate": 972,
    "value": 195968.38534171964
   },
   {
    "key": "1,5,10.0.0.100,10.0.0.7,52084,6343",
    "lastUpdate": 2051,
    "value": 145133.82554375567
   },
   {
    "key": "1,5,10.0.0.101,10.0.0.7,38826,6343",
    "lastUpdate": 972,
    "value": 128377.11586738651
   },
   {
    "key": "1,5,10.0.0.101,200.131.206.30,26340,53",
    "lastUpdate": 119313,
    "value": 3.9976194902333083E-22
   }

[Peter Phaal]

You can use the activeflows query to show only flows larger than a threshold.

If you have any further questions about sFlow-RT, please raise them on
the sFlow-RT group, the sFlow group is intended for general discussion
about the sFlow protocol:

https://groups.google.com/d/forum/sflow-rt

On Wed, Apr 9, 2014 at 2:11 PM, Pedro Henrique

[Peter Phaal]

We just released a new version of sFlow-RT that improves the functionality with Mininet 2.1 (it creates interface data sources). You might also be interested in the Mininet integrated hybrid OpenFlow ECMP leaf and spine emulation that is included with the release:

http://blog.sflow.com/2014/04/mininet-integrated-hybrid-openflow.html

>> >> >> >> >&

...

[Pedro Henrique]

Thanks, I'll take a look on this later.

I'm trying to post on the Sflow-RT forum, but the forum doesn't accept my questions.

I'm just wondering if it is possible to measure the dropped traffic through Sflow if the OpenVSwitches are configured using traffic shaping. I'm testing this with Sflow, but the dropped bytes are not being showed. Similar to this:

inputifindex   outputifindex                   ipsource         ipdestination           udpsourceport                  udpdestinationport                       bytes

7                          discard                    192.168.1.101         192.168.1.106                                   40481                                                 5001                                              0.0000

Thanks!

>> >> >> >&

...

[Peter Phaal]

If an OpenFlow rule drops the packets then you can use a filter in
your flow definition to identify discarded packets, i.e.
filter:outputifindex=discard

However, I believe rate limiting occurs after the packet has passed
through the Open vSwitch and so it can't be reported directly. If you
enable sFlow on the downstream switch then you can see how much has
been discarded (the difference between the traffic seen by the
upstream and downstream switch ports).

On Thu, Jul 3, 2014 at 11:51 PM, Pedro Henrique

[Pedro Henrique]

Hi again.

I'm developing an opensource application to monitor and manage an openflow network and I'm using Sflow to estimate the traffic passing through each switch. I already tested on Openvswitches and on a HP switch. The app is still in the beginning and there are some bugs to solve, however maybe you could give me some suggestions to improve the application or to correct something.

This is the video: http://youtu.be/Vm5WVoNU7Zg

To get the port traffic aggregate I'm doing a sum between all traffic passing through the port, I know that it's possible to get the total traffic on physical switches, but is there a way to get the aggregate on Openvswitches? 

Thank you for the attention.