[156645] in North American Network Operators' Group
Re: Real world sflow vs netflow?
daemon@ATHENA.MIT.EDU (Benoit Claise)
Fri Sep 21 08:49:26 2012
Date: Fri, 21 Sep 2012 14:48:36 +0200
From: Benoit Claise <bclaise@cisco.com>
To: David Hubbard <dhubbard@dino.hostasaurus.com>
In-Reply-To: <FCD26398C5EDE746BFC47F43EA52A17305789D93@dino.ad.hostasaurus.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
http://www.plixer.com/blog/netflow/netflow-vs-sflow-for-network-monitoring-and-security-the-final-say/
Regards, Benoit.
> Can anyone on or off list give me some real world
> thoughts on sflow vs netflow for border
> routers? (multi-homed, BGP, straight v4 & v6 only
> for web hosting, no mpls, vpns, vlans, etc.)
>
> Finding it hard to decipher the vendor version
> of the answer to that question. We use
> netflow v9 currently but are considering hardware
> that would be sflow. We don't use it for
> billing purposes, mostly for spotting malicious
> remote hosts doing things like scans, spotting
> traffic such as weird ports in use in either
> direction that warrant further investigation,
> watching for ddos/dos destinations to act on
> mitigation, or investigating the nature of unusual
> levels of traffic on switch ports that set off
> alarms. I'm concerned things like port scans,
> etc. won't be picked up by the NMS if fed by
> sflow due to the sampling nature, or similar
> concern if 500 ssh connections by the same remote
> host are sampled as 1 connection, etc. Of course
> these concerns were put in my head by someone
> interested in me continuing to use equipment that
> happens to output netflow data, hence me wanting some
> real people answers. :-)
>
> Thanks!
>
>
>
>
