How is sFlow different from netFlow, and how is each supported by different vendors ?
The difference between netFlow and sFlow
monitoringnetflowsflow
Related Solutions
The new Cisco product line does netflow in hardware (and I believe the previous generation as well), but when I approach this question here are the things I typically ask myself:
- 1: Can I afford the bandwidth (i'm sure this won't be a problem most of the time)
- 2: Is netflow done in hardware on this device?
- 3: Can I afford the CPU cycles (if applicable)
- 4: how long you want to store said data on the device
- 5: how long should the data be stored on the aggregation point
I have only found benefits when leaving it on all the time, but I also keep an eye on how it's affecting the performance of my network.
To each his own!
IPFIX is defined in RFC 7011, Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information. Much of what you do or do not have in your records is up to the specific implementation. Your application is off-topic, but if you look at Appendix A. IPFIX Encoding Examples, it will give you some example templates, and the meanings of the fields for those templates. For example:
A.2. Template Set Examples
A.2.1. Template Set Using IANA Information Elements
We want to report the following Information Elements:
IPv4 source IP address: sourceIPv4Address [IANA-IPFIX], with a length of 4 octets
IPv4 destination IP address: destinationIPv4Address [IANA-IPFIX], with a length of 4 octets
Next-hop IP address (IPv4): ipNextHopIPv4Address [IANA-IPFIX], with a length of 4 octets
Number of packets of the Flow: packetDeltaCount [IANA-IPFIX], with a length of 4 octets
Number of octets of the Flow: octetDeltaCount [IANA-IPFIX], with a length of 4 octets
Therefore, the Template Set will be composed of the following:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 28 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID 256 | Field Count = 5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationIPv4Address = 12 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| ipNextHopIPv4Address = 15 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| packetDeltaCount = 2 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| octetDeltaCount = 1 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Best Answer
NetFlow is a protocol for exporting aggregated IP flow totals. As such it is well suited to IP traffic accounting on Internet routers. With Netflow V9 (AKA IPFIX it can look into Layer 2 traffic as well)
sFlow is a general purpose network traffic measurement system technology. sFlow is designed to be embedded in any network device and to provide continuous statistics on any protocol (L2, L3, L4, and up to L7), so that all traffic throughout a network can be accurately characterized and monitored. These statistics are essential for congestion control, troubleshooting, security surveillance, network planning etc. They can also be used for IP accounting purposes.
Netflow mirrors all traffic, and places a load on the CPU when utilised.
SFlow is a packet sampling technology where the switch captures every 100th packet (configurable) per interface and sends it off to the collector. sFlow is built into the ASIC, and places minimal load on the CPU.
Netflow supported by Cisco, Juniper, Alcatel Lucent, Huawei, Enterasys, Nortel, VMWare
sFlow supported by Alaxala, Alcatel Lucent, Allied Telesis, Arista Networks, Brocade, Cisco, Dell, D-Link, Enterasys, Extreme, Fortinet, Hewlett-Packard, Hitachi, Huawei, IBM, Juniper, LG-Ericsson, Mellanox, MRV, NEC, Netgear, Proxim Wireless, Quanta Computer, Vyatta, ZTE and ZyXEL (see sFlow link)