Real world sflow vs netflow?

• Previous message (by thread): Real world sflow vs netflow?
• Next message (by thread): Akamai infrastructure tech
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In the case of sFlow, the collector determines how to report bytes.
The sFlow agent reports the size of the sampled layer 2 frame (along
with the first 128 bytes of the frame) and the collector can choose
whether to report L2 bytes, L3 bytes, L4 bytes etc. by subtracting the
sizes of the headers. It seems likely that the sFlow collector used in
the tests was reporting L3 bytes since the numbers were in agreement
with the numbers reported by NetFlow.

Peter

On Tue, Jul 17, 2012 at 8:32 AM, Simon Leinen <simon.leinen at switch.ch> wrote:
> James Braunegg writes:
>> That being said both netflow and sflow both under read by about 3%
>> when compared to snmp port counters, which we put to the conclusion
>> was broadcast traffic etc which the routers didn't see / flow.
>
> That's one reason, but another reason would be that at least in Netflow
> (but sFlow may be similar depending on how you use it), the reported
> byte counts only include the sizes of the "L3" packets, i.e. starting at
> the IP header, while the SNMP interface counters (ifInOctets etc.)
> include L2 overhead such as Ethernet frame headers and such.
> --
> Simon.
>

• Previous message (by thread): Real world sflow vs netflow?
• Next message (by thread): Akamai infrastructure tech
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]