decodesflow
Decodes sFlow v5 packets from Ethernet frames, extracting agent information, sample types, sampling statistics, and other data.
Command properties
| Item | Description |
|---|---|
| Command type | Processing query |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Input fields
| Field | Type | Required | Description |
|---|---|---|---|
payload | binary | Required | Ethernet frame data. If the field is not binary type, the record is ignored. |
Output fields
| Field | Type | Description |
|---|---|---|
src_ip | ipaddr | Source IP address |
src_port | integer | Source port number |
dst_ip | ipaddr | Destination IP address |
dst_port | integer | Destination port number |
protocol | string | Transport protocol: udp |
ver | integer | sFlow protocol version: 5 |
agent_addr | ipaddr | sFlow agent IP address |
agent_id | integer | sFlow sub-agent ID |
flow_seq | long | sFlow packet sequence number |
uptime | long | Agent system uptime in milliseconds |
sample_type | string | Sample type: flow or counters |
sample_seq | long | Sample sequence number |
src_id_type | integer | Source ID type |
src_id | integer | Source index |
sampling_rate | integer | Sampling rate. Applies to flow samples only. |
sample_pool | long | Total sampling pool count. Applies to flow samples only. |
drops | long | Number of dropped packets. Applies to flow samples only. |
input_if_format | integer | Input interface format. Applies to flow expanded samples only. |
input_if_value | integer | Input interface value. Applies to flow expanded samples only. |
output_if_format | integer | Output interface format. Applies to flow expanded samples only. |
output_if_value | integer | Output interface value. Applies to flow expanded samples only. |
input_if_index | integer | Input interface index. Applies to flow samples only. |
output_if_index | integer | Output interface index. Applies to flow samples only. |
flows | array | List of flow data records. Applies to flow samples only. |
counters | array | List of counter data records. Applies to counters samples only. |
Error codes
Parse errors
N/A
Runtime errors
N/A
Description
The decodesflow command reads an Ethernet frame from the payload field of each input record and decodes sFlow v5 packets. If the payload field is not binary type, the record is ignored.
The command sequentially parses the IPv4 header and UDP header from the Ethernet frame, then verifies the sFlow v5 magic number (0x00000005) in the UDP payload. Records that are not sFlow v5, not IPv4, or not UDP are ignored.
Because a single sFlow packet can contain multiple samples, one input record may produce multiple output records. Depending on the sample type, flow samples include sampling_rate, sample_pool, drops, and interface information; counters samples include the counters array.
If decoding fails, the record is ignored and processing continues with the next record.
This command supports parallel execution and runs on the Data Node in a distributed environment.
Examples
-
Decoding sFlow packets from a PCAP file
pcapfile /opt/logpresso/sflow-capture.pcap | decodesflowDecodes sFlow v5 packets from Ethernet frames read from a PCAP file.
-
Aggregating sample counts by sFlow agent
pcapfile /opt/logpresso/sflow-capture.pcap | decodesflow | stats count by agent_addrAggregates sample counts by sFlow agent IP address.
-
Filtering and querying flow samples only
pcapfile /opt/logpresso/sflow-capture.pcap | decodesflow | search sample_type == "flow" | fields agent_addr, sample_seq, sampling_rate, drops, src_ip, dst_ipFilters only flow-type samples from sFlow packets and retrieves key fields.