RE: Real world sflow vs netflow?

[David Hubbard <dhubbard () dino hostasaurus com>]

From: James Braunegg [mailto:james.braunegg () micron21 com] 
> Dear All
>
> Around a year ago I had the same debate sflow vs netflow vs 
> snmp port counters. read lots of stories lots of myths lots 
> of good information.  My Conclusion
>
> In the end I did real life testing comparing each platform
>
> We routed live traffic (about 250mbits) from our Cisco 7200 
> G2 routers though Brocade MLXe routers and exported netflow 
> from the Cisco platform and sFlow from the Brocade platform.
>
> Each router sent netflow/sflow traffic to two collectors on 
> independent hardware (same specifications) running the same 
> collection netflow analyzer software.
>
> The end result was after hours of testing, or even days and 
> weeks of testing there was no significant difference between 
> traffic volumes netflow was showing vs slfow. Ie less than 
> 0.5% variance between each environment.
>
> That being said both netflow and sflow both under read by 
> about 3% when compared to snmp port counters, which we put to 
> the conclusion was broadcast traffic etc which the routers 
> didn't see / flow.
>
> Regardless if you're going to bill from netflow or sflow in 
> our test environment we saw no  significant difference 
> between either platform.

What are your thoughts on the non-billing aspects after your
comparison testing; if you are/were using it for those purposes?
We don't use our current netflow for billing, just for security
investigation and (ideally) early alerting of abnormal activity
like port scans, compromised apps on servers, etc.

Thanks,

David