Both sFlow and Application Telemetry mirror packets to a server for deep packet inspection, but they collect streams in very different ways:
sFlow samples 1 out of n packets to create flow streams. This methodology achieves scalability and applies to high speed networks, but it provides limited application visibility.
Application Telemetry does not sample some packets like sFlow; it monitors all traffic and uses policy rules to filter packets for analysis. This pattern matching methodology enables Application Telemetry to monitor all application-level traffic flows at wire speed on all interfaces simultaneously.
The policy rules that Application Telemetry uses are ACL and ACE filters that are pre-configured in a policy configuration file called sflow.pol. This policy file is not user configurable. These rules enable the switch to recognize several signatures that represent a combination of the following:
IP protocol type (TCP/UDP)
TCP flags
Layer 4 port numbers
data patterns (defined as offset/data/mask triplets)
Pattern matching enables Application Telemetry to target very specific, well-defined packets in each flow and not full streams of traffic. Thus, the switch mirrors only a relatively few packets to the Analytics Engine. It is the Analytics Engine that performs deep packet inspection to create reports of statistical data.
Important
When you enable Application Telemetry, the switch loads the filter rules based on the logic below:
Application Telemetry uses the apptelemetry.pol or the sflow.pol file because the filter rules can exist in either file. The sflow.pol file is the default file and is included with the image that is loaded on the switch. This file contains the default filter rules. The apptelemetry.pol file is the user-defined file, which can be updated by the Extreme Management Center or ExtremeCloud IQ - Site Engine. To use this file, configure Application Telemetry using the Extreme Management Center or ExtremeCloud IQ - Site Engine. When you run the Application Telemetry LiveUpdate VOSS script from Extreme Management Center or ExtremeCloud IQ - Site Engine, the updated apptelemetry.pol file is placed in /intflash/.
When you enable Application Telemetry, the feature uses the files in the following order:
If the user-defined file (apptelemetry.pol) exists, then the switch loads the rules from this file.
If the apptelemetry.pol file does not exist or if there is a problem reading this file, then the switch uses the default sflow.pol file.