Real world sflow vs netflow?

• Previous message (by thread): Real world sflow vs netflow?
• Next message (by thread): Apologies to the Verilan guy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.plixer.com/blog/netflow/netflow-vs-sflow-for-network-monitoring-and-security-the-final-say/

Regards, Benoit.
> Can anyone on or off list give me some real world
> thoughts on sflow vs netflow for border
> routers? (multi-homed, BGP, straight v4 & v6 only
> for web hosting, no mpls, vpns, vlans, etc.)
>
> Finding it hard to decipher the vendor version
> of the answer to that question.  We use
> netflow v9 currently but are considering hardware
> that would be sflow.  We don't use it for
> billing purposes, mostly for spotting malicious
> remote hosts doing things like scans, spotting
> traffic such as weird ports in use in either
> direction that warrant further investigation,
> watching for ddos/dos destinations to act on
> mitigation, or investigating the nature of unusual
> levels of traffic on switch ports that set off
> alarms.  I'm concerned things like port scans,
> etc. won't be picked up by the NMS if fed by
> sflow due to the sampling nature, or similar
> concern if 500 ssh connections by the same remote
> host are sampled as 1 connection, etc.  Of course
> these concerns were put in my head by someone
> interested in me continuing to use equipment that
> happens to output netflow data, hence me wanting some
> real people answers. :-)
>
> Thanks!
>
>
>
>

• Previous message (by thread): Real world sflow vs netflow?
• Next message (by thread): Apologies to the Verilan guy
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]