NetFlow or sFlow: which is the open standard?

sFlow appears to be more popular on switches.

Most Network Admins keep traffic analysis on the top ten of their responsibility list, but they aren’t using packet analyzers as much.

Why?

Because NetFlow and sFlow now provide the majority of the information they are generally looking for without deploying probes.

NetFlow?

sFlow?

What is the difference?

Most SNMP manageable switches and routers shipping today support either NetFlow or sFlow.

NetFlow or a derivative called NetStream, IPFIX or Jflow are more often supported on routers.

sFlow appears to be more popular on switches.

NetFlow

NetFlow developed by Cisco Systems aggregates conversations between hosts (i.e. flows) with potentially thousands of packets into a single entry among 29 other conversations in a single NetFlow v5 packet.

In other words, a single NetFlow packet can represent tens of thousands of packets between over two dozen hosts.

However the majority of the data field is lost in the aggregation.

The source and destination IP addresses, protocols, type, QoS, autonomous systems and a few other fields are all that are saved.

The rest of the packet is dumped in NetFlow v5 which is over 80% of the market.

NetFlow v9 can save the first 1200 bytes of the packet, however, few if any collectors can report on the data intuitively.

Because of the aggregation, NetFlow allows for accurate total byte readings between IP hosts.

"The beauty of NetFlow is, because it is a standard, you can look at data from different vendors and still apply the correct level of forensics or traffic analysis to it," said Cliff Meltzer - Senior Vice President of the Cisco Network Management Technology Group.

SFlow

SFlow developed by InMon is a packet sampling technology where the switch captures every 100th packet (configurable) per interface and sends it off to the collector.

The sFlow specification does not preclude "sampling" every packet - this is a sampling rate of 1 in 1.

It is up to the specific chip vendor and specific sFlow implementation to limit the maximum frequency of packet sampling.

I am not aware of any vendor which will sample every packet.

Foundry Networks offers a switch which will sample every other packet.

Because of sFlows sampling nature, accurate readings of traffic volumes per hosts is nearly impossible without complicated algorithms which attempt to guess at accurate conversation byte volumes.

Unlike the normally software based architecture of NetFlow, sFlow requires a chip.

The sFlow.org consortium includes most of the leading network equipment and network traffic analysis vendors, who have contributed to the specification of the standard.

sFlow is licensed free of charge.

Unlike Flexible NetFlow which is limited to the first 1200 bytes of the sampled packet, with sFlow any amount of the sampled packet can be exported by sFlow, subject to any hardware limitations of a specific implementation.

Since sFlow runs over UDP, the UDP datagram can exceed the MTU of the layer 2 medium and the IP layer will handle any fragmentation and reassembly.

"By including sFlow technology in our wireless platform, we are making it easier for enterprises to monitor network devices, enforce security and analyze traffic flows across both a wired and wireless infrastructure," said Paul Congdon - Chief Technology Officer of ProCurve Networking by HP.

So which is the open standard: NetFlow or sFlow?

Both are open.

IPFIX is a flow standard which is based on NetFlow v9.

However, vendors have been slow to implement it.

Nortel supports IPFIX on their 5500 & 8600 series switches, however, they only support sampling (i.e. similar to sFlow).

Very important and definitely worth bringing to your attention again, the sFlow.org consortium includes most of the leading network equipment and network traffic analysis vendors.

These vendors have contributed to the specification of the standard. sFlow is licensed free of charge from InMon Corporation.

Among router vendors, NetFlow v5 appears to be more popular over sFlow.

Outside of Cisco and Enterasys, most switch vendors have implemented sFlow.

Enterasys supports NetFlow v9 on their switches because of a special chip they developed.

"The Enterasys Matrix N-Series switches collect NetFlow statistics for every packet in every flow without sacrificing performance based on the nTERA ASIC capabilities," said Trent Waterhouse - Marketing VP for Enterasys.

So which is better: NetFlow or sFlow?

In extremely high traffic volume environments, sFlow's sampling architecture probably prevails over NetFlows aggregation method.

The processing power to implement NetFlow on the routers and switches isn’t the problem.

The issue is the packet volume created by NetFlow which can be enormous and collectors can become overwhelmed.

Most routers outside of those used by service providers send between .5 to 50 NetFlow packets per second.

Although there are many routers in the world that will send over several hundred per second, they are not the norm.

Even so, some flow collectors can still handle 1000+ packets per second.

Why do most switch vendors support sFlow if it is only a sample, versus NetFlow's more accurate aggregation method for measuring IP traffic between hosts?

Well, since sFlow comes on a chip, one could be lead to believe it’s because sFlow takes less engineering to properly implement than NetFlow.

Related Stories:

http://www.BradReese.Com

• Cisco
• Data Center
• LANs / WANs
• Network Management
• Security
• SMB
• Software
• NetFlow
• NetFlow add-ons
• sFlow