A little-known standard for real-time network monitoring is proving to be a valuable tool for some users of high-speed networks.

Although the IETF's sFlow draft standard has been available for years, few vendors have implemented it. But as network traffic speeds grow to gigabit, and 10 gig in some corporations, sFlow will become a more important technology for tracking network performance and providing network security, experts and users say.

sFlow, which the IETF approved as a draft standard in 2001, is a technology that uses random sampling of LAN and WAN data packet flows across an entire network to give users a detailed, real-time view of network traffic performance, trends and problems, according to Foundry Networks and HP. Both offer sFlow-based switches.

Typically, network monitoring is accomplished by putting a network probe device - such as a PC running probe software or an appliance - onto a segment of a network to collect data. The probe is often plugged into a mirrored port on a LAN switch - a port configured to duplicate traffic from another port on the switch. The probe will be able to collect traffic data only from the mirrored port.

sFlow is deployed through network management information bases (MIB) - either hardware-based or software-based agents - running on the actual switches and routers in a network. This allows for a broader picture of network performance, sFlow backers say. Monitoring happens on every port of every sFlow-enabled switch, rather than on just the port or segment a probe is attached to. Proponents of sFlow say the technology allows for more widespread network monitoring because mirroring every port would be burdensome for both network staff and LAN bandwidth - half a switch would have to be dedicated to port mirroring to achieve this.

Instead of capturing and logging every packet on a switch or router port, sFlow MIBs take random samples of packets traveling through ports. These samples, called sFlow datagrams, are forwarded to an sFlow collection server on a network. On this box, the datagrams are run through an algorithm that generates a complete model of network traffic based on the sampled data.

The technology behind sFlow was developed jointly by engineers at InMon, a maker of switch-monitoring software, and developers at HP and Foundry Networks. Vendors that incorporate sFlow technology in their LAN switches include HP, Foundry and Extreme Networks. Software support for sFlow is included in products such as HP OpenView, NetScout's nGenius Performance Manager and InMon Traffic Server.

In addition to providing real-time snapshots of network performance, sFlow can be used as a network security tool, some experts say.

An example is in the detection of unauthorised network devices acting as network address translation (NAT) boxes. This could include a commodity NAT-enabled wireless router, says Peter Phaal, an author of the sFlow draft standard and an engineer at InMon. While NAT devices attached to a network might appear as legitimate end nodes, these could serve as backdoors, allowing access to unauthorized connections, from wired or wireless users.

Because sFlow samples traffic from every port in a network, sFlow data analysers can identify nodes that are acting as NAT devices on a network by comparing subnet data among switches and NAT devices.