sFlow
Plugin: netflow-plugin Module: sflow
Overview
Collect sampled network flow records from sFlow v5 agents. sFlow provides statistically sampled packet headers, interface counters, or extended gateway data. Each flow record exposes source and destination IP, ports, protocol, bytes, packets, and sampling rate information.
For full documentation including how sFlow differs fundamentally from NetFlow (packet sampling vs aggregated flows), vendor configuration examples (Arista, Juniper, Aruba CX, Ruckus, hsflowd), and the limits of sampled data, see the Network Flows Overview.
The plugin uses the same configurable UDP listener set as NetFlow/IPFIX. sFlow datagrams are identified by their distinct header format and decoded per the sFlow v5 specification. Decoded records are enriched and appended to disk-backed journal tiers.
This integration is supported on all platforms.
This integration runs as a single instance per Netdata Agent.
Default Behavior
Auto-Detection
The stock configuration enables the plugin and listens on the configured UDP ports.
Limits
Operational limits are driven by sustained samples/s, sampling rate, cardinality, retention, storage speed, and enrichment. Plan capacity from the received sample rate and the expanded byte/packet estimates.
Performance Impact
Disabled until sFlow agents send traffic. Once active, CPU and disk I/O scale with received samples/s and cardinality; size retention and storage from observed flow records/s.
Setup
Prerequisites
sFlow-capable agent
A switch, router, or host-based sFlow agent (such as Host sFlow) configured to send sFlow v5 datagrams to the Netdata agent's UDP listener.
Configuration
Options
sFlow shares the same netflow.yaml configuration file as NetFlow and IPFIX.
Enable sFlow via the protocols.sflow option.
Config options
| Option | Description | Default | Required |
|---|---|---|---|
| listener.listen | UDP listener endpoints for NetFlow/IPFIX and sFlow datagrams. YAML accepts either a scalar endpoint or a list of endpoints; CLI accepts repeated --netflow-listen flags or comma-delimited values. | 0.0.0.0:2055, 0.0.0.0:6343 | no |
| protocols.sflow | Enable sFlow decoding. | yes | no |
| journal.journal_dir | Directory for journal files (relative to NETDATA_CACHE_DIR). | flows | no |
| journal.tiers.<tier>.size_of_journal_files | Per-tier hard size cap. Replace <tier> with raw, minute_1, minute_5, or hour_1. Set to null for time-only retention. | 10GB | no |
| journal.tiers.<tier>.duration_of_journal_files | Per-tier maximum age. Replace <tier> with raw, minute_1, minute_5, or hour_1. The default null disables time-based eviction; set a duration to add an age cap. | null | no |
via File
The configuration file name for this integration is netflow.yaml.
You can edit the configuration file using the edit-config script from the
Netdata config directory.
cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config netflow.yaml
Examples
sFlow collection
Listen for sFlow v5 datagrams on the standard sFlow port.
enabled: true
listener:
listen: "0.0.0.0:6343"
protocols:
v5: false
v7: false
v9: false
ipfix: false
sflow: true
Verifying sFlow is arriving and diagnosing failures
See Troubleshooting for
the full diagnostic recipe. sFlow-specific gotchas: Netdata creates Network Flow rows
from sFlow flow samples (flow_sample / expanded_flow_sample) only. Counter-only
streams (counters_sample / expanded_counters_sample) are valid sFlow and increment
sFlow packet counters, but they do not contain endpoint-level source/destination flow
records for the Flow Explorer, Sankey, time-series, or maps. Bytes/packets are
statistical estimates that won't match SNMP byte-for-byte, and VLAN information comes
from ExtendedSwitch records only -- not from 802.1Q tags inside the sampled header.
See also
Validation and Data Quality
and the sFlow section of Anti-patterns.
Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.