On Tue, Oct 16, 2007 at 12:44:39PM -0700, Andrew Feren wrote:
>
> A couple of clarifications
>
> First a bit about sFlow. sFlow is a flow monitoring protocol sort of like
> NetFlow. The difference (for this discussion) is that NetFlow pulls info
> from packet headers and puts it into NetFlow defined fields. sFlow in sample
> mode selects a sample of headers from various conversations and bundles them
> into a single packet like this
>
> [IP [UDP|TCP [ sflow headers [header samp1][header samp2]...[header sampN]]]]
Ah, that does indeed put another light on dissecting, filtering and
coloring sFlow. I expected it to have only one header in it's payload :-)
Are you able to share a small capture file with some sFlow packets
with multiple headers as payload? I'm interested to have a look at
it to see what I would find useful...
Cheers,
Sake