On Mon, Sep 24, 2012 at 11:52:28AM -0700, Peter Phaal wrote:
> On Mon, Sep 24, 2012 at 11:19 AM, Joe Loiacono wrote:
> > OK, Well I guess I was thinking sFlow was primarily a switch oriented
> > technology versus on a layer-3 peering router.
>
> The sFlow technology is a good fit for any device t
On Mon, Sep 24, 2012 at 11:19 AM, Joe Loiacono wrote:
> OK, Well I guess I was thinking sFlow was primarily a switch oriented
> technology versus on a layer-3 peering router.
The sFlow technology is a good fit for any device that performs a
packet forwarding function (including routers) and the s
Peter Phaal wrote on 09/24/2012 10:39:26 AM:
> When a switch/router decides to sample a packet it records the
> ingress/egress interfaces and accumulates information about how it
> decided to forward the packet by examining its FIB tables. Each packet
> may take a different path, some may by swit
On Mon, Sep 24, 2012 at 5:48 AM, Joe Loiacono wrote:
> Peter Phaal wrote on 09/23/2012 12:23:57 PM:
>
>
>> Exporting packet oriented measurements doesn't mean that you have to
>> loose ingress/egress interface data. In the specific example being
>> discussed (sFlow export), detailed forwarding in
On 2012-09-24 14:48 , Joe Loiacono wrote:
> Peter Phaal wrote on 09/23/2012 12:23:57 PM:
>
>> Exporting packet oriented measurements doesn't mean that you have to
>> loose ingress/egress interface data.
Note that you get these in NetFlow too. Depends on which version you
pick or how you combine
Peter Phaal wrote on 09/23/2012 12:23:57 PM:
> Exporting packet oriented measurements doesn't mean that you have to
> loose ingress/egress interface data. In the specific example being
> discussed (sFlow export), detailed forwarding information from the
> router forwarding plane is exported with
On Sep 23, 2012, at 11:23 PM, Peter Phaal wrote:
> The difference between packet oriented or flow oriented export is an
> "implementation detail" if your only requirement is to obtain layer IP flow
> records, but becomes significant if you want to create customized flow
> records or create pac
On Sun, Sep 23, 2012 at 8:16 AM, Dobbins, Roland wrote:
>
> On Sep 23, 2012, at 7:55 PM, Danny McPherson wrote:
>
>> If the *flow generation process is not performed on the router (or otherwise
>> conveyed by some metadata outside of "raw [sampled] packet headers") then
>> you lose visibility to i
On Sep 23, 2012, at 7:55 PM, Danny McPherson wrote:
> If the *flow generation process is not performed on the router (or otherwise
> conveyed by some metadata outside of "raw [sampled] packet headers") then you
> lose visibility to ingress and egress ifIndex (interface) information --
> inform
On Sep 23, 2012, at 12:43 AM, Peter Phaal wrote:
> In both cases the router is generating the telemetry, in the netflow
> case, packets are sampled on the router, the router builds flow
> records based on the contents of the sampled packets, and the flow
> records are exported. In the sFlow case,
On Sat, Sep 22, 2012 at 4:41 PM, Dobbins, Roland wrote:
> You have misinterpreted what I said. I was saying that flow telemetry of any
> variety must be exported from edge devices, which in most cases are routers
> (in some cases layer-3 switches), in response to your 'move it out of the
> route
On Sep 23, 2012, at 1:51 AM, Peter Phaal wrote:
> Here are some comments and links to additional information that address each
> of your concerns:
You have misinterpreted what I said. I was saying that flow telemetry of any
variety must be exported from edge devices, which in most cases are
On Fri, Sep 21, 2012 at 10:02 PM, Dobbins, Roland wrote:
>
> On Sep 22, 2012, at 12:40 AM, Peter Phaal wrote:
>
>> However, moving the flow generation out of the router gives a lot of
>> flexibility.
>
> Actually, moving it out of the router creates huge problems and destroys a
> lot of the val
On Sep 22, 2012, at 12:40 AM, Peter Phaal wrote:
> However, moving the flow generation out of the router gives a lot of
> flexibility.
Actually, moving it out of the router creates huge problems and destroys a lot
of the value of the flow telemetry - it nullifies your ability to traceback
w
On Thu, Sep 20, 2012 at 11:21 AM, Mikael Abrahamsson wrote:
> Most of the platforms I know of do sampled netflow at 1:100-1:1000 or so,
> and then I don't really see the fundamental difference in doing the flow
> analysis on the router itself (classic netflow) or doing the same but at the
> sFlow
http://www.plixer.com/blog/netflow/netflow-vs-sflow-for-network-monitoring-and-security-the-final-say/
Regards, Benoit.
Can anyone on or off list give me some real world
thoughts on sflow vs netflow for border
routers? (multi-homed, BGP, straight v4 & v6 only
for web hosting, no mpls, vpns, vla
On Thu, 20 Sep 2012, Peter Phaal wrote:
I am a puzzled by the orthodoxy that seems to prevail around the value
"flows" as a measure of network traffic in packet switched networks.
What platforms actually do real unsampled netflow today, and do it well
for multi-10gigabit worth of typical Inte
On 20/09/2012 17:59, Peter Phaal wrote:
> What do people think?
Flows are good for measuring some things; raw packet sampling is good for
measuring others.
Decide on what you're trying to measure, then pick the best tool for the job.
Nick
On Sat, Jul 14, 2012 at 1:30 AM, Łukasz Bromirski wrote:
> sFlow is really sPacket, as it doesn't deal with flows.
>
> NetFlow, jFlow, IPFIX deal with flows.
I am a puzzled by the orthodoxy that seems to prevail around the value
"flows" as a measure of network traffic in packet switched networks.
In the case of sFlow, the collector determines how to report bytes.
The sFlow agent reports the size of the sampled layer 2 frame (along
with the first 128 bytes of the frame) and the collector can choose
whether to report L2 bytes, L3 bytes, L4 bytes etc. by subtracting the
sizes of the headers. I
On 17/07/2012 16:32, Simon Leinen wrote:
> That's one reason, but another reason would be that at least in Netflow
> (but sFlow may be similar depending on how you use it), the reported
> byte counts only include the sizes of the "L3" packets, i.e. starting at
> the IP header, while the SNMP interf
James Braunegg writes:
> In the end I did real life testing comparing each platform
Great, thanks for sharing your results!
(It would be nice if you could tell us a little bit about the
configuration, i.e. what kind of sampling you used.)
[...]
> That being said both netflow and sflow both under
rd [mailto:dhubb...@dino.hostasaurus.com]
Sent: Tuesday, July 17, 2012 8:26 AM
To: nanog@nanog.org
Subject: RE: Real world sflow vs netflow?
From: James Braunegg [mailto:james.braun...@micron21.com]
>
> Dear All
>
> Around a year ago I had the same debate sflow vs netflow vs snmp port
> counters. rea
From: James Braunegg [mailto:james.braun...@micron21.com]
>
> Dear All
>
> Around a year ago I had the same debate sflow vs netflow vs
> snmp port counters. read lots of stories lots of myths lots
> of good information. My Conclusion
>
> In the end I did real life testing comparing each plat
org]
Sent: Monday, July 16, 2012 6:53 AM
To: nanog@nanog.org
Subject: Re: Real world sflow vs netflow?
On 14/07/2012 09:30, Łukasz Bromirski wrote:
> And that's the biggest problem with sFlow. Packets are sampled, not
> flows. You may miss the big or important flow, you don't hav
On 14/07/2012 09:30, Łukasz Bromirski wrote:
> And that's the biggest problem with sFlow. Packets are sampled, not
> flows. You may miss the big or important flow, you don't have
> visibility into every conversation going through the device.
Unless you enable sampling, which is pretty much necessa
On Sat, Jul 14, 2012 at 10:30:25AM +0200, ?ukasz Bromirski wrote:
> NetFlow supports [ .. ] As well as L2 traffic (v9) [ .. ]
Let's be real and speak implementations: where is L2 information in
NetFlow for routed traffic on bigger platforms typically thrown for
peering at internet exchanges - ASR
On 7/14/12 11:15 AM, Mikael Abrahamsson wrote:
On Sat, 14 Jul 2012, Łukasz Bromirski wrote:
NetFlow, jFlow, IPFIX deal with flows. You can discuss sampling
accuracy and things like that, but working with flows is more accurate.
If you do 1:1000 sampling with both Netflow and sFlow, why would
On Sat, 14 Jul 2012, Łukasz Bromirski wrote:
NetFlow, jFlow, IPFIX deal with flows. You can discuss sampling accuracy
and things like that, but working with flows is more accurate.
If you do 1:1000 sampling with both Netflow and sFlow, why would one of
them be more accurate than the other? If
On 7/13/12 10:20 PM, Peter Phaal wrote:
1. NetFlow: Packets are decoded on the router, flow keys are extracted
and used to lookup/create an entry in a flow cache which is then
updated based on values in the packet. Records are exported from the
flow cache in the form of Netflow datagrams when th
Peter Phaal wrote on 07/13/2012 04:20:45 PM:
> 2. sFlow: Packets are randomly sampled in hardware and the packet
> headers are immediately exported as sFlow datagrams - there is no flow
> cache on the switch/router. In addition to exporting the packet
> header, the sFlow agent captures the FIB st
Hi David,
The main architectural difference between sFlow and Netflow is the
location of the flow cache:
1. NetFlow: Packets are decoded on the router, flow keys are extracted
and used to lookup/create an entry in a flow cache which is then
updated based on values in the packet. Records are expor
Hi David,
I'm not sure that sflow is going to get your the granularity that you
are looking for. It's usually better to start more granular and then
aggregate into larger flows when you graph or reference for historic values.
Have you looked at other options, such as argus [1] to collect flow dat
On 2012-07-13 19:30, David Hubbard wrote:
[..]
> We don't use it for
> billing purposes, mostly for spotting malicious
> remote hosts doing things like scans, spotting
> traffic such as weird ports in use in either
> direction that warrant further investigation,
[..]
The primary difference betwee
Can anyone on or off list give me some real world
thoughts on sflow vs netflow for border
routers? (multi-homed, BGP, straight v4 & v6 only
for web hosting, no mpls, vpns, vlans, etc.)
Finding it hard to decipher the vendor version
of the answer to that question. We use
netflow v9 currently but a
35 matches
Mail list logo
