Traffic sampling

Traffic sampling does not examine all packets received by a router. Command parameters allow the rate at which traffic is sampled and sent for flow analysis to be modified. The default sampling rate is every 1000th packet. Excessive sampling over an extended period of time, for example, more than every 1000th packet, can burden router processing resources.

The following data is maintained for each individual flow in the raw flow cache:

• Source IP address

• Destinations IP address

• Source port

• Destination port

• Forwarding status

• Input interface

• Output interface

• IP protocol

• TCP flags

• First timestamp (of the first packet in the flow)

• Last timestamp (timestamp of last packet in the flow before the expiry of the flow)

• Source AS number for peer and origin (taken from BGP)

• Destination AS number for peer and origin (taken from BGP)

• IP next hop

• BGP next hop

• ICMP type and code

• IP version

• Source prefix (from routing)

• Destination prefix (from routing)

• MPLS label stack from label 1 to 6

Within the raw flow cache, the following characteristics are used to identify an individual flow:

• Ingress interface

• Source IP address

• Destination IP address

• Source transport port number

• Destination transport port number

• IP protocol type

• IP ToS byte

• Virtual router ID

• ICMP type and code

• Direction

• MPLS labels

SR OS implementation allows cflowd to be enabled at the interface level or as an action to a filter. By enabling cflowd at the interface level, all IP packets forwarded by the interface are subject to cflowd analysis. By setting cflowd as an action in a filter, only packets matching the specified filter are subject to cflowd analysis. This provides the network operator greater flexibility in the types of flows that are captured.