Can sFlow monitor VOIP? (I'm guessing no.)

Hi Network Admins,

Does anyone know if sFlow can be used to monitor VOIP?

Here’s why I ask, and why I think the answer to my question will be “No.” I’ve recently spun up an instance of vFlow, Verizon Digital’s Dockerized sFlow Docker collector. The image works great, and I highly recommend it. My boss likes it too, and asked me to think about if we might be able to use vFlow to monitor VOIP calls.

Here’s everything I know about VOIP:

• VOIP uses two protocols: SIP is used for signaling, RTP is used to carry actual voice data.
• When a VOIP call is initiated between two peers, those peer negotiate using SIP (UDP 5060). In one of those initial “handshake” packets, the peers will communicate, “You send RTP on UDP 12345, I’ll send RTP back on UDP 12346.”
• Once that step is completed, all RTP packets for the duration of the call will use only those agreed-upon UDP ports.
• After the call is completed, there is a quick tear-down process, also managed via SIP.

Okay, now imagine Peers A and B are initiating a VOIP call over my sFlow-enabled network. Here’s what I think happens:

1. Via SIP, peers A and B agree that A will used RTP on UDP 12345 and B will use RTP on UDP 12346.
2. However, sFlow does NOT sample that key SIP packet containing the previous information.
3. A and B begin their VOIP call and begin transferring a lot of RTP data.
4. sFlow reports a lot of traffic on UDP 12345 and 12346. However, there is no way for sFlow to realize this is VOIP traffic.

Because of the nature of random packet sampling, I’m guessing the above scenario happens almost constantly. To see a batch of traffic on UDP 12345 and 12346 and then know for sure that that traffic is VOIP, sFlow would need to sample the SIP packet listing the agreed-upon ports, and the SIP packets used to teardown the call later. What are the odds that those SIP packets will be sampled for every VOIP call? Practically nil.

I did a bit of Google searching for “sFlow VOIP” but all I see to find are ad websites for professional sFlow products and academic papers. I’m guessing that this means garden variety sFlow simply can’t monitor VOIP, for the reasons I’ve listed above.

Does anyone know if I am correct? I would love any thoughts or advice on this. Thank you!