sFlow
Plugin: netflow-plugin Module: sflow
Overview
Collect sampled network flow records from sFlow v5 agents. sFlow provides statistically sampled packet headers, interface counters, or extended gateway data. Each flow record exposes source and destination IP, ports, protocol, bytes, packets, and sampling rate information.
For full documentation including how sFlow differs fundamentally from NetFlow (packet sampling vs aggregated flows), vendor configuration examples (Arista, Juniper, Aruba CX, Ruckus, hsflowd), and the limits of sampled data, see the Network Flows Overview.
The plugin listens on the same UDP socket as NetFlow. sFlow datagrams are identified by their distinct header format and decoded per the sFlow v5 specification. Decoded records are enriched and appended to disk-backed journal tiers.
This integration is only supported on the following platforms:
- Linux
This integration runs as a single instance per Netdata Agent.
Default Behavior
Auto-Detection
The plugin starts when enabled in netflow.yaml and listens on the configured UDP port.
Limits
Operational limits are driven by sustained samples/s, sampling rate, cardinality, retention, storage speed, and enrichment. Plan capacity from the received sample rate and the expanded byte/packet estimates.
Performance Impact
Disabled until sFlow agents send traffic. Once active, CPU and disk I/O scale with received samples/s and cardinality; size retention and storage from observed flow records/s.
Setup
Prerequisites
sFlow-capable agent
A switch, router, or host-based sFlow agent (such as Host sFlow) configured to send sFlow v5 datagrams to the Netdata agent's UDP listener.
Configuration
Options
sFlow shares the same netflow.yaml configuration file as NetFlow and IPFIX.
Enable sFlow via the protocols.sflow option.
Config options
| Option | Description | Default | Required |
|---|---|---|---|
| listener.listen | UDP endpoint for sFlow datagrams. | 0.0.0.0:2055 | no |
| protocols.sflow | Enable sFlow decoding. | yes | no |
| journal.journal_dir | Directory for journal files (relative to NETDATA_CACHE_DIR). | flows | no |
| journal.tiers.<tier>.size_of_journal_files | Per-tier hard size cap. Replace <tier> with raw, minute_1, minute_5, or hour_1. Set to null for time-only retention. | 10GB | no |
| journal.tiers.<tier>.duration_of_journal_files | Per-tier maximum age. Replace <tier> with raw, minute_1, minute_5, or hour_1. Set to null for size-only retention. | 7d | no |
via File
The configuration file name for this integration is netflow.yaml.
You can edit the configuration file using the edit-config script from the
Netdata config directory.
cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config netflow.yaml
Examples
sFlow collection
Listen for sFlow v5 datagrams on Netdata's default flow listener port.
enabled: true
listener:
listen: "0.0.0.0:2055"
protocols:
v5: false
v7: false
v9: false
ipfix: false
sflow: true
Verifying sFlow is arriving and diagnosing failures
See Troubleshooting for
the full diagnostic recipe. sFlow-specific gotchas: counter samples are not surfaced
(only flow samples), bytes/packets are statistical estimates that won't match SNMP
byte-for-byte, and VLAN information comes from ExtendedSwitch records only -- not
from 802.1Q tags inside the sampled header. See also
Validation and Data Quality
and the sFlow section of Anti-patterns.
Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.