Real world sflow vs netflow?

Dobbins, Roland rdobbins at arbor.net
Sun Sep 23 19:17:42 UTC 2012


On Sep 23, 2012, at 11:23 PM, Peter Phaal wrote:

> The difference between packet oriented or flow oriented export is an "implementation detail" if your only requirement is to obtain layer IP flow records, but becomes significant if you want to create customized flow records or create packet oriented metrics. Applications for packet oriented metrics mentioned earlier in this thread included route analytics, analysis of ECMP/LAG/TRILL forwarding, packet size distribution vs. DSCP, DDoS mitigation.

It might be a good idea to read up on Flexible NetFlow, IPFIX, and PSAMP over IPFIX, since everything you mention above can be done by collecting/analyzing those telemetry formats. 

In fact, it might be a good idea to read up on plain old classical NetFlow v5 and v9, too, as almost all of what's mentioned above is accomplished every day using them, as well, heh.

> The problem with having the router perform the flow analysis is that once data is aggregated, it can't be disaggregated.

Nobody in this thread has advocated aggregated NetFlow.  I certainly don't.  

At any rate, I knew this would happen if we started talking about the merits of s/Flow vs. NetFlow.  For some reason, s/Flow advocates seem to feel compelled to come up with straw-man arguments and misstatements, and try to use them to 'prove' what they view as the inherent superiority of s/Flow - when any unbiased indvidual who's worked with both formats at length knows that this simply isn't true.

In this particular instance, I guess it's natural to feel compelled to present one's own creations in a positive light.  However, it just isn't cricket to make incorrect, incomplete, and/or misleading statements about perceived competitors to one's own creations, you know? 

> It's like the difference between receiving eggs or an omelette. If you like the omelette, great! But if you wan't a different omelette or would like
> to poach, boil, scramble or bake your eggs then getting the raw eggs is a lot more versatile.

At any rate, I've wasted enough of everyone's time/bandwidth as a result of this particular instance of flow telemetry format trolling; I won't be providing anything more in the way of sustenance.

;>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the NANOG mailing list