Ever since I started working with NetFlow Analyzer, I have been fascinated with NetFlow technology which can give a high level of information without much strain on the network. One another commonly used technology like NetFlow is sFlow. sFlow, introduced by INMON, is a sampling based technology which can help in bandwidth monitoring, real time traffic analytics, anomaly detection and IP level billing.
What is sFlow and sampling :
Before we move to sFlow, what is sampling? Sampling is a method for traffic analysis where 1 in every ‘N’ packets (N is the sampling rate) passing through a device interface is sent to an analyzer tool for analysis. Based on the information in this 1 packet, traffic pattern for the rest of the packets in the sample group is constructed.
Now, it is not the actual datagram that is captured and sent for packet analysis. In sFlow, when there is traffic flow on a device interface, a part of the ethernet frame (ie. the header information) of a sampled packet is extracted and placed into a UDP packet. Samples are collected based on the sample interval and added to the UDP packet. Once the UDP packet’s size reaches 1500 bytes, the flow exporter attaches necessary information like sampling rate and interface index and exports it to the analyzer software. This UDP packet along with the actual packet sample’s frame information is called sFlow.
NetFlow vs sFlow
Many users who reach us asks which technology is better or accurate and which one should they use. I will outline the differences between the two and then you can decide which one to go with.
One of the big advantages of sFlow is its ability to run at Layer 2 and to capture non IP traffic.
sFlow, can work on Layer 2 and Layer 3 interfaces and does not need a Layer 3 routing or next hop as NetFlow does. This enables sFlow capture to be done on Layer 2 interfaces thus covering almost all of your network traffic.
Coming to the type of traffic captured, NetFlow technology can capture only IP based traffic information and not non IP protocol traffic like IPX, Appletalk, XNS, etc. If your network runs a lot of non-IP based protocols, it is only sFlow which is capable of capturing these packets.
The next part is accuracy. sFlow, since being sampling based, may miss some of the traffic. This can happen when packets belonging to a huge conversation did not get sampled, thus losing account of a large volume of network data or when your network involves a lot of small conversations and thus these packets not getting accounted in the sample group. Finally, in the long run you may find some of the actual top talkers missing. Here NetFlow gets the advantage as it will capture 100% of your IP traffic.
After considering these factors decide on what you wish to implement. My suggestion is NetFlow on the border and sFlow for the core. Get to us if you need to know more or discuss more.
Thanks and Regards
Arun Karthik Asokan
Download | Interactive Demo | Product overview video | Twitter | Customers|Bandwidth Monitoring | Network Security | CBQoSMonitoring |
lan traffic analysis | network traffic analyzer | traffic analyzer | network traffic monitor | network analysis tools | network performance analysis
Do you mean NetFlow on the core and sFlow for the border.
No… Netflow on border and sFlow on core. As core has high traffic to analyse if we use NetFlow performance may be the problem so sFlow is preferred. If we use NetFlow on border then we can actually take analytics advantage.
Hi Arun,
Thank you for the information, it is very useful to understand the technology. I have one question here:
1. what is the difference between Sample rate and Adaptive sample rate.
looking forward to your response.
Thank you!
Abhinav
Hi Abhinav,
Sampling refers to random sampling ( eg. 1 out of 100 packets) irrespective of time, traffic load etc.
Adaptive sampling is a technology using Fussy Logic the rate differs with respect to traffic. When there is a huge load/traffic on the device, the sampling rate increases to compensate the load.
Regards,
Senthil.N