Traffic sampling does not examine all packets received by a router. The use can configure command parameters to modify the rate at which traffic is sampled and sent for flow analysis. The default sampling rate is one out of every 1000 packets.
Excessive sampling, such as one out of every 100 packets, over an extended period of time can burden router processing resources.
The following data is maintained for each individual flow in the raw flow cache:
source IP address
destinations IP address
source port
destination port
forwarding status
input interface
output interface
IP protocol
TCP flags
first timestamp (of the first packet in the flow)
last timestamp (timestamp of last packet in the flow before expiry of the flow)
source AS number for peer and origin (taken from BGP)
destination AS number for peer and origin (taken from BGP)
IP next hop
BGP next hop
ICMP type and code
IP version
source prefix (from routing)
destination prefix (from routing)
MPLS label stack from label 1 to 6
Within the raw flow cache, the following characteristics are used to identify an individual flow:
ingress interface
source IP address
destination IP address
source transport port number
destination transport port number
IP protocol type
IP TOS byte
virtual router ID
ICMP type and code
direction
MPLS labels
The user enables cflowd at the interface level. By enabling cflowd at the interface level, all IP packets forwarded by the interface are subject to cflowd analysis.