Real world sflow vs netflow?

Jeroen Massar jeroen at
Fri Jul 13 17:44:54 UTC 2012

On 2012-07-13 19:30, David Hubbard wrote:
> We don't use it for
> billing purposes, mostly for spotting malicious
> remote hosts doing things like scans, spotting
> traffic such as weird ports in use in either 
> direction that warrant further investigation,

The primary difference between NetFlow/IPFIX and sFlow is that NetFlow
is unsampled while sFlow is sampled. As such, for these kind of cases it
might be more worthy to have NetFlow than sFlow as you get all the
source/dest ports. On the other hand sFlow can give you packet headers
and that might be useful if you get every first say 200 bytes of every flow.

Though depending on the hardware and traffic volume and traffic mix you
might have to sample anyway.

Oh and there is a small difference in the packet formats and the idea
behind why something exists, but that won't hurt you too much.


More information about the NANOG mailing list