nanog mailing list archives

Re: Real world sflow vs netflow?

From: Jeroen Massar <jeroen () unfix org>
Date: Fri, 13 Jul 2012 19:44:54 +0200

On 2012-07-13 19:30, David Hubbard wrote:
[..]

We don't use it for
billing purposes, mostly for spotting malicious
remote hosts doing things like scans, spotting
traffic such as weird ports in use in either 
direction that warrant further investigation,

[..]

The primary difference between NetFlow/IPFIX and sFlow is that NetFlow
is unsampled while sFlow is sampled. As such, for these kind of cases it
might be more worthy to have NetFlow than sFlow as you get all the
source/dest ports. On the other hand sFlow can give you packet headers
and that might be useful if you get every first say 200 bytes of every flow.

Though depending on the hardware and traffic volume and traffic mix you
might have to sample anyway.

Oh and there is a small difference in the packet formats and the idea
behind why something exists, but that won't hurt you too much.

Greets,
 Jeroen

Current thread:

Real world sflow vs netflow? David Hubbard (Jul 13)
- Re: Real world sflow vs netflow? Jeroen Massar (Jul 13)
- Re: Real world sflow vs netflow? Harry Hoffman (Jul 13)
- Re: Real world sflow vs netflow? Peter Phaal (Jul 13)
  - Re: Real world sflow vs netflow? Joe Loiacono (Jul 13)
  - Re: Real world sflow vs netflow? Łukasz Bromirski (Jul 14)
    - Re: Real world sflow vs netflow? Mikael Abrahamsson (Jul 14)
    - Re: Real world sflow vs netflow? Łukasz Bromirski (Jul 14)
    - Re: Real world sflow vs netflow? Paolo Lucente (Jul 15)
    - Re: Real world sflow vs netflow? Nick Hilliard (Jul 15)
    - RE: Real world sflow vs netflow? James Braunegg (Jul 16)
    - RE: Real world sflow vs netflow? David Hubbard (Jul 16)

(Thread continues...)