[156690] in North American Network Operators' Group
Re: Real world sflow vs netflow?
daemon@ATHENA.MIT.EDU (Danny McPherson)
Sun Sep 23 08:56:22 2012
From: Danny McPherson <danny@tcb.net>
In-Reply-To: <CAB8g2zzyKb2rZx7+1r=11dVCC3jGsMMoDbgrEzat=gD4m58R4Q@mail.gmail.com>
Date: Sun, 23 Sep 2012 08:55:32 -0400
To: Peter Phaal <peter.phaal@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sep 23, 2012, at 12:43 AM, Peter Phaal wrote:
> In both cases the router is generating the telemetry, in the netflow
> case, packets are sampled on the router, the router builds flow
> records based on the contents of the sampled packets, and the flow
> records are exported. In the sFlow case, the raw sampled packet
> headers are exported to external software which builds flow records.
> In both cases the router is making the primary measurements and you
> end up with the same measurements.
Actually, you don't... =20
If the *flow generation process is not performed on the router (or =
otherwise conveyed by some metadata outside of "raw [sampled] packet =
headers") then you lose visibility to ingress and egress ifIndex =
(interface) information -- information which is required if/when =
deploying controls on those systems to squelch various traffic flows. =
This is _part of the point Roland was trying to make.
-danny
