[AusNOG] vyatta netflow and AS export
Paul Koch
paul.koch137 at gmail.com
Tue Jun 9 09:21:34 EST 2015
On Fri, 5 Jun 2015 12:07:42 +1000
Ivan Jukic <ijukic13 at gmail.com> wrote:
> Netflow or the currant "standard" is now called IPFIX. This is certainly
> support by Cisco as well as many other vendor.
>
> In relation to sflow not being a useful technology. I disagree. They
> essential both do the same, analyse traffic flows. However, sflow does so
> by packet sampling, 1 packet out of X sent to the collector. Where as
> IPFIX/Netflow send every packet to the collector. They both very useful,
> however there is a lot of design considering when rolling them out.
>
> Cheers,
> Ivan
sFlow is not useful. It typically uses a 1 in N sample, where N is a
"very big number". Once you go over N=5 or N=10, it becomes statistically
useless... or actually misleading and deceptive. Ask any statistician
and they laugh at the 1 in 1000 sample.
I even watch a presentation from one of the sFlow.org guys who reckon
that N 1,000,000 sample was even useful. Not sure what planet...
For security guys, a N=1 is pretty much mandatory.
sFlow should have been called something different as it just causes
confusion. A lot of people seem to think it is 'switch flow' and are
surprised when you explain that its just packet sampling at N=1k or N=16k
packets. Switches will never do a N=1 sample because the cost of the
hardware would be prohibitive.
Plixer have some interesting blogs on Netflow vs sFlow.
Paul.
--
Paul Koch | Founder, CEO
AKIPS Network Monitor | akips.com
Brisbane, Australia
Cell: +61 (0)458 803 740
More information about the AusNOG
mailing list