__FLOW INFORMATION__
  * SFlow UDP-6343
  * Netflow (v5, v9) UDP-2055 or UDP-9996
    * IPFIX

Neflow vanilla configuration CSR1000v

  flow exporter Flow-exporter
   destination 10.10.11.143
   source GigabitEthernet1
   transport udp 9995
   template timeout 180    # every 3 minutes the router sends 'options template' which includes the sampler rate. This allows 'embedded sampling' to be requested by collector
   template data timeout 180    # 'data' and 'options'. the lack of templates just means it takes X minutes until collector can decode netflow from initial start of collecting process
   template options timeout 180
   option sampler-table timeout 60
  !
  flow monitor Flow-monitor
   exporter Flow-exporter
   cache timeout active 60
   cache timeout active 5
   record netflow-original   # record netflow ipv4 original-input
  !
  sampler Flow-sampler
   mode random 1 out-of 50
  !
  interface GigabitEthernet3
   ip flow monitor Flow-monitor sampler Flow-sampler input
   
Netflow in ubuntu or FRR (agent):
\\
  FRR01:~# systemctl status pmacctd.service
  ● pmacctd.service - promiscuous mode accounting daemon
     Loaded: loaded (/lib/systemd/system/pmacctd.service; enabled; vendor preset: enabled)
    Process: 530 ExecStart=/usr/sbin/pmacctd -f ${PMACCTD_CONF} $DAEMON_OPTS (code=exited, status=0/SUCCESS)
   Main PID: 546 (pmacctd)
     CGroup: /system.slice/pmacctd.service
             ├─546 pmacctd: Core Process [default]
             └─548 pmacctd: Netflow Probe Plugin [ens20]
  
  root@Router-FRR01:~# cat /lib/systemd/system/pmacctd.service
  [Unit]
  Description=promiscuous mode accounting daemon
  After=network.target
  
  [Service]
  Type=forking
  EnvironmentFile=-/etc/default/pmacctd
  ExecStart=/usr/sbin/pmacctd -f ${PMACCTD_CONF} $DAEMON_OPTS
  cat /etc/pmacct/pmacctd.conf
  daemonize: true
  interface: ens20
  aggregate: src_host, dst_host, src_port, dst_port, proto, tos
  plugins: nfprobe[ens20]
  nfprobe_receiver: 10.100.10.142:9995
  nfprobe_version: 9
  nfprobe_direction[ens20]: tag
  nfprobe_ifindex[ens20]: tag2
  pre_tag_map: /etc/pmacct/pretag.map
  timestamps_secs: true

SFLOW collector:
  * The default open source collector is : [[http://www.pmacct.net/]]

----
**__SFLOW__**
  * sampled frames + interface counter + flow-tuple data. All in the same packet
  * sflow is configurable via SNMP mibs

  * Flow sample (conceptually one in each sflow packet but in reality we pack more than 1). It lists things like: ingress egress. ifindex and  <del>sampling rate</del>
    * Flow record (the frame header with a little bit of metadata (like header protocol (eg: Ethernet))


\\
 SFLOW IN LINUX / FRR:
\\
USE 'HOST SFLOW' PROJECT: [[https://sflow.net/documentation.php]]

  # Example of working config in /etc/hsflowd.conf : polling every 20 sec, sampling 1:100, collecting data from interface ens4
  sflow {
    polling = 20
    sampling = 100
    collector { ip=10.100.11.143 udpport=6343 }
    pcap { dev = ens4 }
    nflog { group = 5  probability = 0.01 }
  }
  
  # Then we need to issue this commandsL:
  NFLOG_CONFIG="--nflog-group 5 --nflog-prefix SFLOW"
  echo 1 > /proc/sys/net/ipv4/ip_forward  # Enable IP forwaring in the linux box 
  MOD_STATISTIC="-m statistic --mode random --probability 0.0025"    # This is for a sampling rato of 100, needs to match with what we configure in /etc/hsflowd.conf
  NFLOG_CONFIG="--nflog-group 5 --nflog-prefix SFLOW"
  sudo iptables -I INPUT -j NFLOG $MOD_STATISTIC $NFLOG_CONFIG
  sudo iptables -I OUTPUT -j NFLOG $MOD_STATISTIC $NFLOG_CONFIG
  
  # Ad restart:
  sudo systemctl enable hsflowd
  service hsflowd start
  
  # If issues
  service hsflowd start
  hsflowd -dd

Also see:
  * [[https://groups.google.com/g/sflow/c/990vzm2g16c]]
  * [[https://github.com/sflow/host-sflow/issues/38]]
  * [[https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-42/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/|Cumulus_tshoot]]
  * [[https://sharkfestus.wireshark.org/assets/presentations18/21.pdf|Tutu1]]
\\
\\
In Arista:
  * Arista Networks DCS-7060CX-32S: Hardware Sample Rate for SW sFlow: 4096 / Polling Interval (sec): 2.0 (default).

  sflow run
  sflow interface disable default
  int e2
  ip address 10.100.11.129/24
  description to-collector
  int e1
  ip add 192.168.0.1/24
  description measurement
  sflow enable
  !
  sflow destination 10.100.11.143 6343
  sflow source 10.100.11.129
  sflow source-interface e3
  sflow polling-interval 30    # interval for sending counter data to the sFlow collector. The default interval is two seconds.
  sflow sample 15    #  packet sampling rate. Packets are sampled at random intervals to avoid inaccurate sampling of periodic events.
  sflow extension bgp    # Optional. routing agent will export the BGP routing table and autonomous system path information to the sFlow agent
  !
  show sflow detail
  
In Junos
  set protocols sflow polling-interval 2 # interval for sending data to the collector
  set protocols sflow sample-rate ingress 4096 # packet sampling rate. Packets are sampled at random intervals
  set protocols sflow source-ip 1.1.1.1
  set protocols sflow collector 2.2.2.2 udp-port 6343
  set protocols sflow interfaces xe-0/0/0:0.0
  ibr-0-0-1 protocols sflow
  set protocols sflow agent-id 1.1.1.1
  set protocols sflow polling-interval 1
  set protocols sflow sample-rate ingress 1024
  set protocols sflow source-ip 1.1.1.1
  set protocols sflow collector 2.2.2.2 udp-port 6343
  set protocols sflow interfaces xe-0/0/0:0.0
  
In Cisco (IOS-XR): [[https://blog.sflow.com/2022/02/cisco-ncs-5500-series-routers.html]]