[154815] in North American Network Operators' Group
Re: Real world sflow vs netflow?
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Fri Jul 13 13:46:45 2012
Date: Fri, 13 Jul 2012 19:44:54 +0200
From: Jeroen Massar <jeroen@unfix.org>
To: David Hubbard <dhubbard@dino.hostasaurus.com>
In-Reply-To: <FCD26398C5EDE746BFC47F43EA52A17305789D93@dino.ad.hostasaurus.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2012-07-13 19:30, David Hubbard wrote:
[..]
> We don't use it for
> billing purposes, mostly for spotting malicious
> remote hosts doing things like scans, spotting
> traffic such as weird ports in use in either
> direction that warrant further investigation,
[..]
The primary difference between NetFlow/IPFIX and sFlow is that NetFlow
is unsampled while sFlow is sampled. As such, for these kind of cases it
might be more worthy to have NetFlow than sFlow as you get all the
source/dest ports. On the other hand sFlow can give you packet headers
and that might be useful if you get every first say 200 bytes of every flow.
Though depending on the hardware and traffic volume and traffic mix you
might have to sample anyway.
Oh and there is a small difference in the packet formats and the idea
behind why something exists, but that won't hurt you too much.
Greets,
Jeroen
