A dependency-free Rust library for parsing InMon sFlow version 5 datagrams.
Main sFlow v5 specification and common extensions are implemented. Each implemented flow and counter record is covered by a unit test and programmatically validated against the official sFlow specification documents.
The flows and counters types tables below list all sFlow structure numbers as defined in the official sFlow structure registry.
Status Legend:
- ✅ Implemented
- ⬜ Not implemented
- 🪦 Deprecated
The main specification is sFlow Version 5 from 2004, but many extensions have been published since to support additional monitoring use cases.
| Year | Specification | Description | Status |
|---|---|---|---|
| 2004 | sFlow Version 5 | Core protocol, base flow and counter records | ✅ |
| 2007 | sFlow 802.11 Structures | Wireless/802.11 monitoring extensions | ✅ |
| 2010 | sFlow Host Structures | Host and virtual machine performance metrics | ✅ |
| 2011 | sFlow HTTP Structures | HTTP performance metrics | ✅ |
| 2011 | sFlow Java Virtual Machine Structures | JVM performance metrics | ⬜ |
| 2011 | sFlow Memcache Structures | Memcache performance metrics | ⬜ |
| 2012 | sFlow NVML GPU Structures | NVIDIA GPU performance, status, and health | ⬜ |
| 2012 | sFlow Application Structures | Application resource monitoring | ✅ |
| 2012 | sFlow LAG Counters Structure | IEEE 802.1AX Link Aggregation (LACP) | ⬜ |
| 2012 | sFlow Tunnel Structures | Encapsulation/decapsulation (VXLAN, GRE, etc.) | ✅ |
| 2012 | sFlow Port NAT Structures | Port-based NAT mapping | ⬜ |
| 2013 | sFlow InfiniBand Structures | InfiniBand network monitoring | ⬜ |
| 2014 | sFlow OpenFlow Structures | OpenFlow port monitoring | ✅ |
| 2015 | sFlow Host TCP/IP Counters | Host IP, ICMP, TCP, and UDP counters | ⬜ |
| 2015 | sFlow Broadcom ASIC Table Utilization | Hardware table utilization for Broadcom ASICs | ⬜ |
| 2015 | sFlow Broadcom Buffer Utilization | Buffer utilization for Broadcom switches | ⬜ |
| 2016 | sFlow Optical Interface Structures | Pluggable optical modules (SFP, QSFP, etc.) | ⬜ |
| 2020 | sFlow Dropped Packet Notification | Reports on dropped packets with reason codes | ✅ |
| 2021 | sFlow Transit Delay Structures | Delay and queue depth for sampled packets | ✅ |
Note: See sFlow Errata for corrections to published specifications.
sFlow datagrams contain sample records. Each sample record has a format type that determines its structure:
| Enterprise | Format | Name | Specification | Status |
|---|---|---|---|---|
| 0 | 1 | Flow Sample | sFlow v5 | ✅ |
| 0 | 2 | Counters Sample | sFlow v5 | ✅ |
| 0 | 3 | Flow Sample Expanded | sFlow v5 | ✅ |
| 0 | 4 | Counters Sample Expanded | sFlow v5 | ✅ |
| 0 | 5 | Discarded Packet | sFlow Drops | ✅ |
Each sample contains one or more flow records (for flow samples) or counter records (for counter samples).
| Enterprise | Format | Name | Specification | Status |
|---|---|---|---|---|
| 0 | 1 | Sampled Header | sFlow v5 | ✅ |
| 0 | 2 | Sampled Ethernet | sFlow v5 | ✅ |
| 0 | 3 | Sampled IPv4 | sFlow v5 | ✅ |
| 0 | 4 | Sampled IPv6 | sFlow v5 | ✅ |
| 0 | 1001 | Extended Switch | sFlow v5 | ✅ |
| 0 | 1002 | Extended Router | sFlow v5 | ✅ |
| 0 | 1003 | Extended Gateway (BGP) | sFlow v5 | ✅ |
| 0 | 1004 | Extended User | sFlow v5 | ✅ |
| 0 | 1005 | Extended URL (deprecated) | sFlow v5 | ✅ 🪦 |
| 0 | 1006 | Extended MPLS | sFlow v5 | ✅ |
| 0 | 1007 | Extended NAT | sFlow v5 | ✅ |
| 0 | 1008 | Extended MPLS Tunnel | sFlow v5 | ✅ |
| 0 | 1009 | Extended MPLS VC | sFlow v5 | ✅ |
| 0 | 1010 | Extended MPLS FEC | sFlow v5 | ✅ |
| 0 | 1011 | Extended MPLS LVP FEC | sFlow v5 | ✅ |
| 0 | 1012 | Extended VLAN Tunnel | sFlow v5 | ✅ |
| 0 | 1013 | Extended 802.11 Payload | sFlow 802.11 | ✅ |
| 0 | 1014 | Extended 802.11 RX | sFlow 802.11 | ✅ |
| 0 | 1015 | Extended 802.11 TX | sFlow 802.11 | ✅ |
| 0 | 1016 | Extended 802.11 Aggregation | sFlow 802.11 | ✅ |
| 0 | 1017 | Extended OpenFlow v1 (deprecated) | sFlow OpenFlow Draft | ✅ 🪦 |
| 0 | 1018 | Extended Fibre Channel | sFlow Discussion | ⬜ |
| 0 | 1019 | Extended Queue Length | sFlow Discussion | ⬜ |
| 0 | 1020 | Extended NAT Port | sFlow Port NAT | ⬜ |
| 0 | 1021 | Extended L2 Tunnel Egress | sFlow Tunnel | ✅ |
| 0 | 1022 | Extended L2 Tunnel Ingress | sFlow Tunnel | ✅ |
| 0 | 1023 | Extended IPv4 Tunnel Egress | sFlow Tunnel | ✅ |
| 0 | 1024 | Extended IPv4 Tunnel Ingress | sFlow Tunnel | ✅ |
| 0 | 1025 | Extended IPv6 Tunnel Egress | sFlow Tunnel | ✅ |
| 0 | 1026 | Extended IPv6 Tunnel Ingress | sFlow Tunnel | ✅ |
| 0 | 1027 | Extended Decapsulate Egress | sFlow Tunnel | ✅ |
| 0 | 1028 | Extended Decapsulate Ingress | sFlow Tunnel | ✅ |
| 0 | 1029 | Extended VNI Egress | sFlow Tunnel | ✅ |
| 0 | 1030 | Extended VNI Ingress | sFlow Tunnel | ✅ |
| 0 | 1031 | Extended InfiniBand LRH | sFlow InfiniBand | ⬜ |
| 0 | 1032 | Extended InfiniBand GRH | sFlow InfiniBand | ⬜ |
| 0 | 1033 | Extended InfiniBand BRH | sFlow InfiniBand | ⬜ |
| 0 | 1034 | Extended VLAN In | sFlow Discussion | ⬜ |
| 0 | 1035 | Extended VLAN Out | sFlow Discussion | ⬜ |
| 0 | 1036 | Extended Egress Queue | sFlow Drops | ✅ |
| 0 | 1037 | Extended ACL | sFlow Drops | ✅ |
| 0 | 1038 | Extended Function | sFlow Drops | ✅ |
| 0 | 1039 | Extended Transit Delay | sFlow Transit | ✅ |
| 0 | 1040 | Extended Queue Depth | sFlow Transit | ✅ |
| 0 | 1041 | Extended HW Trap | host-sflow Implementation | ⬜ |
| 0 | 1042 | Extended Linux Drop Reason | host-sflow Implementation | ⬜ |
| 0 | 2000 | Transaction | sFlow Discussion | ⬜ |
| 0 | 2001 | Extended NFS Storage Transaction | sFlow Discussion | ⬜ |
| 0 | 2002 | Extended SCSI Storage Transaction | sFlow Discussion | ⬜ |
| 0 | 2003 | Extended HTTP Transaction | sFlow Discussion | ⬜ |
| 0 | 2100 | Extended Socket IPv4 | sFlow Host | ✅ |
| 0 | 2101 | Extended Socket IPv6 | sFlow Host | ✅ |
| 0 | 2102 | Extended Proxy Socket IPv4 | sFlow HTTP | ✅ |
| 0 | 2103 | Extended Proxy Socket IPv6 | sFlow HTTP | ✅ |
| 0 | 2200 | Memcache Operation | sFlow Memcache | ⬜ |
| 0 | 2201 | HTTP Request (deprecated) | sFlow Discussion | ⬜ 🪦 |
| 0 | 2202 | App Operation | sFlow Application | ✅ |
| 0 | 2203 | App Parent Context | sFlow Application | ✅ |
| 0 | 2204 | App Initiator | sFlow Application | ✅ |
| 0 | 2205 | App Target | sFlow Application | ✅ |
| 0 | 2206 | HTTP Request | sFlow HTTP | ✅ |
| 0 | 2207 | Extended Proxy Request | sFlow HTTP | ✅ |
| 0 | 2208 | Extended Nav Timing | sFlow Discussion | ⬜ |
| 0 | 2209 | Extended TCP Info | sFlow Discussion | ⬜ |
| 0 | 2210 | Extended Entities | sFlow Discussion | ⬜ |
| 4413 | 1 | BST Egress Queue | sFlow Broadcom | ⬜ |
| Enterprise | Format | Name | Specification | Status |
|---|---|---|---|---|
| 0 | 1 | Generic Interface | sFlow v5 | ✅ |
| 0 | 2 | Ethernet Interface | sFlow v5 | ✅ |
| 0 | 3 | Token Ring | sFlow v5 | ✅ |
| 0 | 4 | 100BaseVG Interface | sFlow v5 | ✅ |
| 0 | 5 | VLAN | sFlow v5 | ✅ |
| 0 | 6 | IEEE 802.11 Counters | sFlow 802.11 | ✅ |
| 0 | 7 | LAG Port Stats | sFlow LAG | ⬜ |
| 0 | 8 | Slow Path Counts | sFlow Discussion | ⬜ |
| 0 | 9 | InfiniBand Counters | sFlow InfiniBand | ⬜ |
| 0 | 10 | Optical SFP/QSFP | sFlow Optics | ⬜ |
| 0 | 1001 | Processor | sFlow v5 | ✅ |
| 0 | 1002 | Radio Utilization | sFlow 802.11 | ✅ |
| 0 | 1003 | Queue Length | sFlow Discussion | ⬜ |
| 0 | 1004 | OpenFlow Port | sFlow OpenFlow | ✅ |
| 0 | 1005 | OpenFlow Port Name | sFlow OpenFlow | ✅ |
| 0 | 2000 | Host Description | sFlow Host | ✅ |
| 0 | 2001 | Host Adapters | sFlow Host | ✅ |
| 0 | 2002 | Host Parent | sFlow Host | ✅ |
| 0 | 2003 | Host CPU | sFlow Host | ✅ |
| 0 | 2004 | Host Memory | sFlow Host | ✅ |
| 0 | 2005 | Host Disk I/O | sFlow Host | ✅ |
| 0 | 2006 | Host Network I/O | sFlow Host | ✅ |
| 0 | 2007 | MIB2 IP Group | sFlow Host TCP/IP | ⬜ |
| 0 | 2008 | MIB2 ICMP Group | sFlow Host TCP/IP | ⬜ |
| 0 | 2009 | MIB2 TCP Group | sFlow Host TCP/IP | ⬜ |
| 0 | 2010 | MIB2 UDP Group | sFlow Host TCP/IP | ⬜ |
| 0 | 2100 | Virtual Node | sFlow Host | ✅ |
| 0 | 2101 | Virtual CPU | sFlow Host | ✅ |
| 0 | 2102 | Virtual Memory | sFlow Host | ✅ |
| 0 | 2103 | Virtual Disk I/O | sFlow Host | ✅ |
| 0 | 2104 | Virtual Network I/O | sFlow Host | ✅ |
| 0 | 2105 | JVM Runtime | sFlow JVM | ⬜ |
| 0 | 2106 | JVM Statistics | sFlow JVM | ⬜ |
| 0 | 2200 | Memcache Counters (deprecated) | sFlow Discussion | ⬜ 🪦 |
| 0 | 2201 | HTTP Counters | sFlow HTTP | ✅ |
| 0 | 2202 | App Operations | sFlow Application | ✅ |
| 0 | 2203 | App Resources | sFlow Application | ✅ |
| 0 | 2204 | Memcache Counters | sFlow Memcache | ⬜ |
| 0 | 2206 | App Workers | sFlow Application | ✅ |
| 0 | 2207 | OVS DP Stats | sFlow Discussion | ⬜ |
| 0 | 3000 | Energy | sFlow Discussion | ⬜ |
| 0 | 3001 | Temperature | sFlow Discussion | ⬜ |
| 0 | 3002 | Humidity | sFlow Discussion | ⬜ |
| 0 | 3003 | Fans | sFlow Discussion | ⬜ |
| 4413 | 1 | Broadcom Device Buffer | sFlow Broadcom | ⬜ |
| 4413 | 2 | Broadcom Port Buffer | sFlow Broadcom | ⬜ |
| 4413 | 3 | Broadcom ASIC Tables | sFlow Broadcom | ⬜ |
| 5703 | 1 | NVIDIA GPU | sFlow NVML | ⬜ |
Enables serialization and deserialization support for all sFlow data structures using serde. This allows you to easily convert parsed sFlow data to/from JSON, YAML, or any other format supported by serde.
[dependencies]
sflow-parser = { version = "0.3", features = ["serde"] }
serde_json = "1.0"Example usage:
use sflow_parser::parse_datagram;
let datagram = parse_datagram(&data)?;
// Serialize to JSON
let json = serde_json::to_string(&datagram)?;
// Deserialize from JSON
let datagram: SFlowDatagram = serde_json::from_str(&json)?;Run the comprehensive test suite:
make test # Run all tests
make test-unit # Run unit tests only
make test-integration # Run integration tests onlyThe project includes comprehensive fuzz testing using cargo-fuzz:
make fuzz-install # Install fuzzing tools (requires nightly Rust)
make fuzz-single # Fuzz single datagram parsing (60s)
make fuzz-multiple # Fuzz multiple datagrams parsing (60s)
make fuzz-structured # Fuzz with structured inputs (60s)
make fuzz-all # Run all fuzzers (5 minutes each)The project includes comprehensive validation against official sFlow specification documents using syn crate to parse Rust source files and extract sFlow struct metadata:
make specs-validatePerformance benchmarks using Criterion:
make benchResults: ~300ns per datagram (~346 MiB/s throughput) on typical hardware. The parser is not zero-copy (at least for now) and does not use any unsafe code, but it is fast enough for most use cases.
This project is licensed under the MIT License.
sFlow® is a registered trademark of InMon Corp. This implementation is based on the sFlow version 5 specification available at https://sflow.org/sflow_version_5.txt and is licensed under the terms provided at https://inmon.com/technology/sflowlicense.txt.