nanog mailing list archives

Re: Real world sflow vs netflow?

From: Harry Hoffman <hhoffman () ip-solutions net>
Date: Fri, 13 Jul 2012 13:52:28 -0400

Hi David,

I'm not sure that sflow is going to get your the granularity that you
are looking for. It's usually better to start more granular and then
aggregate into larger flows when you graph or reference for historic values.

Have you looked at other options, such as argus [1] to collect flow data
outside of the networking gear?

This way the networking gear can do what its primary job and flow
collection can happen elsewhere.

There's a whole argus community that discusses the information security
topics you're interested in and Carter, the guy who wrote all (?) of the
code is very responsive. Argus can also take in NetFlow flows from your
routers too.

There are obviously other tools available, that may work as well or
better, but argus is one I've been using with great success in a fairly
heavily trafficked environment.

Cheers,
Harry

[1] http://www.qosient.com/argus/



On 07/13/2012 01:30 PM, David Hubbard wrote:

Can anyone on or off list give me some real world
thoughts on sflow vs netflow for border
routers? (multi-homed, BGP, straight v4 & v6 only
for web hosting, no mpls, vpns, vlans, etc.)

Finding it hard to decipher the vendor version
of the answer to that question.  We use
netflow v9 currently but are considering hardware
that would be sflow.  We don't use it for
billing purposes, mostly for spotting malicious
remote hosts doing things like scans, spotting
traffic such as weird ports in use in either 
direction that warrant further investigation,
watching for ddos/dos destinations to act on
mitigation, or investigating the nature of unusual
levels of traffic on switch ports that set off
alarms.  I'm concerned things like port scans,
etc. won't be picked up by the NMS if fed by
sflow due to the sampling nature, or similar
concern if 500 ssh connections by the same remote
host are sampled as 1 connection, etc.  Of course
these concerns were put in my head by someone
interested in me continuing to use equipment that
happens to output netflow data, hence me wanting some
real people answers. :-)

Thanks!

Current thread:

Real world sflow vs netflow? David Hubbard (Jul 13)
- Re: Real world sflow vs netflow? Jeroen Massar (Jul 13)
- Re: Real world sflow vs netflow? Harry Hoffman (Jul 13)
- Re: Real world sflow vs netflow? Peter Phaal (Jul 13)
  - Re: Real world sflow vs netflow? Joe Loiacono (Jul 13)
  - Re: Real world sflow vs netflow? Łukasz Bromirski (Jul 14)
    - Re: Real world sflow vs netflow? Mikael Abrahamsson (Jul 14)
    - Re: Real world sflow vs netflow? Łukasz Bromirski (Jul 14)
    - Re: Real world sflow vs netflow? Paolo Lucente (Jul 15)
    - Re: Real world sflow vs netflow? Nick Hilliard (Jul 15)
    - RE: Real world sflow vs netflow? James Braunegg (Jul 16)
    - RE: Real world sflow vs netflow? David Hubbard (Jul 16)
    - RE: Real world sflow vs netflow? James Braunegg (Jul 16)

(Thread continues...)