What is the difference between netFlow and sFlow?

  • How is sFlow different from netFlow, and how is each supported by different vendors ?

  • Jez

    Jez Correct answer

    8 years ago

    NetFlow is a protocol for exporting aggregated IP flow totals. As such it is well suited to IP traffic accounting on Internet routers. With Netflow V9 (AKA IPFIX it can look into Layer 2 traffic as well)

    sFlow is a general purpose network traffic measurement system technology. sFlow is designed to be embedded in any network device and to provide continuous statistics on any protocol (L2, L3, L4, and up to L7), so that all traffic throughout a network can be accurately characterized and monitored. These statistics are essential for congestion control, troubleshooting, security surveillance, network planning etc. They can also be used for IP accounting purposes.

    Netflow mirrors all traffic, and places a load on the CPU when utilised.

    SFlow is a packet sampling technology where the switch captures every 100th packet (configurable) per interface and sends it off to the collector. sFlow is built into the ASIC, and places minimal load on the CPU.

    Netflow supported by Cisco, Juniper, Alcatel Lucent, Huawei, Enterasys, Nortel, VMWare

    sFlow supported by Alaxala, Alcatel Lucent, Allied Telesis, Arista Networks, Brocade, Cisco, Dell, D-Link, Enterasys, Extreme, Fortinet, Hewlett-Packard, Hitachi, Huawei, IBM, Juniper, LG-Ericsson, Mellanox, MRV, NEC, Netgear, Proxim Wireless, Quanta Computer, Vyatta, ZTE and ZyXEL (see sFlow link)

    The sampling concept applies to netflow/ipfix just as it does with sflow

    Sampling aside, how would two packets from the same traffic differ on Netflow and sFlow. Maybe compare them with a raw packet from say, tcpdump? The difference still isn't crystal clear to me.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM