In a cloud-native environment, sFlow agents run on virtual switches (Open vSwitch). The analyzer cross-references sFlow samples with orchestrator APIs. It can show: "Pod frontend-7d8f9 is talking to database postgres-0 using 200 Mbps of TLS traffic—this is anomalous."
The analyzer sees: "1 packet for 192.168.1.100 -> 203.0.113.50, sample rate 1/1000". It immediately multiplies: This represents 1,000 real packets . It then multiplies by average packet size (from the header, say 500 bytes) to get 500,000 bytes (4 Mbits) of traffic contributed by that flow. sflow analyzer
The analyzer keeps an in-memory hash table keyed by (src_ip, dst_ip, src_port, dst_port, protocol) . It adds the extrapolated bytes and packets to that key. In a cloud-native environment, sFlow agents run on
What the industry needed was —a way to look at a statistically significant fraction of traffic and infer the whole picture. Chapter 1: The Birth of sFlow (2001) In 2001, InMon Corporation (founded by Peter Phaal, who had previously worked on packet sampling at Sprint) published a revolutionary idea: sFlow (Sampled Flow). It adds the extrapolated bytes and packets to that key
A modern analyzer (e.g., FastNetMon, Akvorado) uses sFlow to watch for SYN floods. When a DDoS starts, the analyzer detects the anomaly in <1 second, extracts the victim IP from the sFlow samples, and automatically injects a BGP FlowSpec rule to block the attack at the router—all without human intervention.
When a router samples a packet, it creates a tiny record (usually 64–128 bytes of the packet header—source IP, destination IP, port, protocol). It wraps this in an sFlow datagram (UDP) and fires it out to a collector.