nanog mailing list archives
Re: Real world sflow vs netflow?
From: Jeroen Massar <jeroen () unfix org>
Date: Fri, 13 Jul 2012 19:44:54 +0200
On 2012-07-13 19:30, David Hubbard wrote: [..]
We don't use it for billing purposes, mostly for spotting malicious remote hosts doing things like scans, spotting traffic such as weird ports in use in either direction that warrant further investigation,
[..] The primary difference between NetFlow/IPFIX and sFlow is that NetFlow is unsampled while sFlow is sampled. As such, for these kind of cases it might be more worthy to have NetFlow than sFlow as you get all the source/dest ports. On the other hand sFlow can give you packet headers and that might be useful if you get every first say 200 bytes of every flow. Though depending on the hardware and traffic volume and traffic mix you might have to sample anyway. Oh and there is a small difference in the packet formats and the idea behind why something exists, but that won't hurt you too much. Greets, Jeroen
Current thread:
- Real world sflow vs netflow? David Hubbard (Jul 13)
- Re: Real world sflow vs netflow? Jeroen Massar (Jul 13)
- Re: Real world sflow vs netflow? Harry Hoffman (Jul 13)
- Re: Real world sflow vs netflow? Peter Phaal (Jul 13)
- Re: Real world sflow vs netflow? Joe Loiacono (Jul 13)
- Re: Real world sflow vs netflow? Łukasz Bromirski (Jul 14)
- Re: Real world sflow vs netflow? Mikael Abrahamsson (Jul 14)
- Re: Real world sflow vs netflow? Łukasz Bromirski (Jul 14)
- Re: Real world sflow vs netflow? Paolo Lucente (Jul 15)
- Re: Real world sflow vs netflow? Nick Hilliard (Jul 15)
- RE: Real world sflow vs netflow? James Braunegg (Jul 16)
- RE: Real world sflow vs netflow? David Hubbard (Jul 16)