Plugin: netflow-plugin Module: sflow
Collect sampled network flow records from sFlow v5 agents. sFlow provides statistically sampled packet headers, interface counters, or extended gateway data. Each flow record exposes source and destination IP, ports, protocol, bytes, packets, and sampling rate information.
For full documentation including how sFlow differs fundamentally from NetFlow (packet sampling vs aggregated flows), vendor configuration examples (Arista, Juniper, Aruba CX, Ruckus, hsflowd), and the limits of sampled data, see the Network Flows Overview.
The plugin uses the same configurable UDP listener set as NetFlow/IPFIX. sFlow datagrams are identified by their distinct header format and decoded per the sFlow v5 specification. Decoded records are enriched and appended to disk-backed journal tiers.
This integration is supported on all platforms.
This integration runs as a single instance per Netdata Agent.
The stock configuration enables the plugin and listens on the configured UDP ports.
Operational limits are driven by sustained samples/s, sampling rate, cardinality, retention, storage speed, and enrichment. Plan capacity from the received sample rate and the expanded byte/packet estimates.
Disabled until sFlow agents send traffic. Once active, CPU and disk I/O scale with received samples/s and cardinality; size retention and storage from observed flow records/s.
A switch, router, or host-based sFlow agent (such as Host sFlow) configured to send sFlow v5 datagrams to the Netdata agent’s UDP listener.
sFlow shares the same netflow.yaml configuration file as NetFlow and IPFIX.
Enable sFlow via the protocols.sflow option.
| Option | Description | Default | Required |
|---|---|---|---|
| listener.listen | UDP listener endpoints for NetFlow/IPFIX and sFlow datagrams. YAML accepts either a scalar endpoint or a list of endpoints; CLI accepts repeated --netflow-listen flags or comma-delimited values. | 0.0.0.0:2055, 0.0.0.0:6343 | no |
| protocols.sflow | Enable sFlow decoding. | yes | no |
| journal.journal_dir | Directory for journal files (relative to NETDATA_CACHE_DIR). | flows | no |
| journal.tiers.<tier>.size_of_journal_files | Per-tier hard size cap. Replace <tier> with raw, minute_1, minute_5, or hour_1. Set to null for time-only retention. | 10GB | no |
| journal.tiers.<tier>.duration_of_journal_files | Per-tier maximum age. Replace <tier> with raw, minute_1, minute_5, or hour_1. The default null disables time-based eviction; set a duration to add an age cap. | null | no |
The configuration file name for this integration is netflow.yaml.
You can edit the configuration file using the edit-config script from the
Netdata config directory.
cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config netflow.yaml
Listen for sFlow v5 datagrams on the standard sFlow port.
enabled: true
listener:
listen: "0.0.0.0:6343"
protocols:
v5: false
v7: false
v9: false
ipfix: false
sflow: true
Network flow data is stored as journal records, not as traditional metrics. Use the Network Flows view in the Netdata dashboard to query and visualize flow data. For the full list of fields and the per-protocol availability matrix, see the Field Reference. sFlow byte counts are statistical estimates (sampled packets multiplied by sampling rate); they will not reconcile byte-for-byte with SNMP interface counters.
There are no alerts configured by default for this integration.
See Troubleshooting for
the full diagnostic recipe. sFlow-specific gotchas: Netdata creates Network Flow rows
from sFlow flow samples (flow_sample / expanded_flow_sample) only. Counter-only
streams (counters_sample / expanded_counters_sample) are valid sFlow and increment
sFlow packet counters, but they do not contain endpoint-level source/destination flow
records for the Flow Explorer, Sankey, time-series, or maps. Bytes/packets are
statistical estimates that won’t match SNMP byte-for-byte, and VLAN information comes
from ExtendedSwitch records only – not from 802.1Q tags inside the sampled header.
See also
Validation and Data Quality
and the sFlow section of Anti-patterns.
Want a personalised demo of Netdata for your use case?