Real world sflow vs netflow?

David Hubbard dhubbard at
Fri Jul 13 17:30:25 UTC 2012

Can anyone on or off list give me some real world
thoughts on sflow vs netflow for border
routers? (multi-homed, BGP, straight v4 & v6 only
for web hosting, no mpls, vpns, vlans, etc.)

Finding it hard to decipher the vendor version
of the answer to that question.  We use
netflow v9 currently but are considering hardware
that would be sflow.  We don't use it for
billing purposes, mostly for spotting malicious
remote hosts doing things like scans, spotting
traffic such as weird ports in use in either 
direction that warrant further investigation,
watching for ddos/dos destinations to act on
mitigation, or investigating the nature of unusual
levels of traffic on switch ports that set off
alarms.  I'm concerned things like port scans,
etc. won't be picked up by the NMS if fed by
sflow due to the sampling nature, or similar
concern if 500 ssh connections by the same remote
host are sampled as 1 connection, etc.  Of course
these concerns were put in my head by someone
interested in me continuing to use equipment that
happens to output netflow data, hence me wanting some
real people answers. :-)


More information about the NANOG mailing list