Skip Links

Network World

Brad Reese

Closer look: sFlow better than NetFlow?

By Brad Reese on Fri, 06/20/08 - 8:21am.
Newsletter Signup

Plixer International

Is anyone else appreciating the debate on sFlow vs. NetFlow?

The folks at Plixer International decided to take a closer look.

They put together a simple test using a live network.

Visit Us Cisco Live! 2008 Orlando June 22 - 26 Booth 1210They inserted an Extreme Summit sFlow switch running v7.6 firmware between their Enterasys switch running Rev 05.42.04 and the firewall (SonicWall).


The Enterasys switch supports NetFlow v9 and the Extreme switch supports sFlow v5.

They cranked up the sampling rate on the Extreme to sample every packet.

Plixer wasn’t confident that the Extreme Summit switch can sample every packet but, the switch didn’t bark at after they entered the command.

For flow collection, they used Scrutinizer NetFlow and sFlow Analyzer v6.0 which is pictured below.

PLXRSW3 (sFlow) is the Extreme Summit switch and PLXRSW1 (NetFlow) is the Enterasys Switch:

sFlow and NetFlow Collection

The above configuration would allow Plixer to view traffic rates of the same live traffic using sFlow and NetFlow collection.

Notice above that the Inbound and Outbound - five minute traffic averages don’t match for exactly the same traffic volumes.

The Extreme Summit = 1.332% and the Enterasys = 1.262% for Inbound utilization.

Plixer believes this could be caused by many things including the fact that sFlow samples tend to be exported closer to real time.

NetFlow on the other hand has to deal with active and inactive timeout configurations.

Because of this, an sFlow switch would likely reflect a sudden spike in utilization quicker than a NetFlow switch.

Perhaps someone will comment on this blog to help us have a better understanding!

At times they would be as much as 1% different from one another but, for the most part they were pretty much the same.

Below is an example:

An Example

Plixer let the test run for a few days.

Scrutinizer sat there collecting away.

Every so often they would compare the top ten talkers reported for the same time frame and they seldom matched up when looking at trends for the last 5 minutes or the last 24 hours:

Compare

As expected, since the Extreme Summit is sampling packets the total host traffic is below what the Enterasys Switch is reporting for the same host for the same time frame:

As Expected

When looking at purely IP traffic, NetFlow has the advantage of collecting nearly everything hence the 4 fold increase over the sFlow interface above.

On the other hand, sFlow is not limited to IP traffic and results in more accurate overall utilization.

Notice below that the same Outbound traffic reported by NetFlow is under that stated by sFlow.

NetFlow Trend:

NetFlow Trend

sFlow Trend:

sFlow Trend

Regarding the above, sFlow reports on non IP traffic as well as broadcasts that are not exported by NetFlow.

Trent WaterhouseTrent Waterhouse - Marketing VP for Enterasys said:

"The Enterasys Matrix N-Series switches collect NetFlow statistics for every packet in every flow without sacrificing performance based on the nTERA ASIC capabilities."

Paul Congdon"Although we have considered the recent IPFIX solution (based on NetFlow v9), ProCurve currently favors sFlow for unification of our wired and wireless infrastructure because of its scalability, increased visibility and lower implementation costs within devices, which we pass directly on to our customers," said Paul Congdon - CTO of HP ProCurve.

When asked about the router market, Paul went on to say:

"In this particular market, the NetFlow feature is an important transition technology for the refresh and we do have plans in our next software release to support NetFlow in our WAN router products."

Taking a closer look at flow volumes back to the collector:

When Plixer reviewed the volume of sFlow traffic being sent by the Extreme Summit switch back to the Scrutinizer collector the results were again interesting.

The Extreme sFlow volume was 6 times that of the NetFlow sending Enterasys switch.

This is because Plixer configured the Extreme switch to sample as much as possible which generally isn’t necessary.

See below:

Collection Statistics

Note that many believe that sFlow is a 1:1 ratio of 1 packet per 1 sample.

This is not true.

As Wireshark points out below in the packet trace, a single sFlow packet had 8 packet samples in it:

Wireshark Points Out

You can read more technical information about these standards by reading the sFlow RFC or the IP Flow Information Export (IPFIX) Charter.

Note that a single NetFlow v5 or v9 packet can represent thousands of packets but, contains much less detail than sFlow.

Marc Bilodeau"NetFlow is much more accurate for IP statistics however, sFlow is more than a substitute for NetFlow," said Marc Bilodeau - CTO of Plixer International.

"It offers many more statistics than NetFlow does."

"Flexible NetFlow looks to take smart ideas from sFlow like sampling packets."

In Summary:

More testing needs to be done.

One would think that even with sampling, that statistically, the same top talkers would result with either technology over time and they didn’t.

Below is based on a 6 day trend on both switches.

Although the overall interface utilization trends look the same, the top hosts were inconsistent.

PLXRSW1 (NetFlow) is the Enterasys Switch:

Enterasys Switch

PLXRSW3 (sFlow) is the Extreme Summit Switch:

Extreme Switch

After comparing the first two switches reporting on the same traffic and seeing inconsistent top 10 host results, Plixer decided to review sFlow from a 3rd switch (i.e. the backup plan) looking at the same traffic.

The 3rd switch made by Alcatel PLXRSW2 was sampling at a much lower rate but, the top ten hosts were consistent with the Extreme sFlow switch.

PLXRSW2 (sFlow) is the Alcatel Switch:

Alcatel Switch

Related stories:

NetFlow or sFlow: which is the open standard?

Cisco’s NetFlow vs. Inmon’s sFlow: Which will prevail?

Cisco toe stepper HP ProCurve deftly hoofs over Cisco NetFlow

Did YOU find this blog informative?

Contact Brad Reese
http://www.BradReese.Com

Brad's Top 5 Story Picks
# 1. Cisco CBQoS delivers powerful QoS policy metrics
# 2. Brian Dennis - quintuple Cisco CCIE offers two $15 thousand dollar CCIE scholarships, one international and one US
# 3. Aruba scoffs at new Cisco mobility markitecture
# 4. Giancarlo vs. Chambers: Former number two at Cisco becomes number one at competitor Avaya
# 5. Superior RF design: Meru outperforms Cisco by 76%, Aruba by 59%
Story Archives Brad Reese on Cisco Story Archives

Cisco Jobs

Cisco Repair

Cisco Resumes

Cisco Power Supplies
  

The factor of 4

0
By Neil Mckee (not verified) on Thu, 04/23/2009 - 11:42pm.

That factor of 4 difference looks like a misunderstanding of the sFlow protocol. I suspect the Extreme switch adjusted the sampling rate as allowed by the standard (section 4.2.2 http://www.sflow.org/sflow_version_5.txt) -- a precaution to keep the monitoring overhead low even when the settings are irrational.

elaborate please

0
By Mike Patterson (not verified) on Fri, 04/24/2009 - 10:11pm.

Hello Neil,

Could you elaborate please? Do you have inside information on how Extreme works with sFlow?

I believe sFlow & NetFlow intended on targeting different markets but, we get many questions on the differences between the two. I posted a blog recently:
http://www.plixer.com/blog/products/scrutinizer/why-doesn%e2%80%99t-sflow-look-accurate/

Sincerely,

Michael Patterson
Product Manager - www.Scrutinizer.com

The factor of 4

0
By Neil McKee (not verified) on Sat, 04/25/2009 - 12:55pm.

Hi Mike,

No inside information required! It's just that sFlow is statistically rigorous and the accuracy is always known. For the test above you should have expected only a very small discrepancy. The factor of 4 implied that something else had gone wrong :) SFlow can be, and is, used for volumetric billing. Especially on networks that are too large or too fast for NetFlow to be generated and consumed cost-effectively.

I like your blog. The only comment I have is that comparing one NetFlow device with one sFlow device risks missing the bigger picture. When the comparison comes up in the real world the question is usually more like this: "If I buy from Cisco I get to monitor the routers, but if I buy from any other vendor I get to monitor the entire network".

Maybe Cisco will come around?

Neil McKee
InMon Corp.
www.inmon.com

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Welcome, visitor. Register Log in
Advertisement:
About Brad Reese on Cisco

Brad Reese cofounded BradReese.Com Cisco Refurbished which offers one year warranties on Cisco Refurbished and Cisco Repair.

Contact Brad Reese

Archives
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
Categories
1811 expands to 384Mbps of DRAM and 128Mbps of Flash
A UBS analyst is reporting that Cisco's losing market share across the board
A company's monthly network communications cost will be reduced
A government official in possession of a large corporate stockholding while that corporation is subject to administrative rulings by that same government official
Agito adds that its enterprise fixed mobile convergence (eFMC) platform enables low-cost in-building voice coverage
Agito introduced Agito for BlackBerry
Agito's BlackBerry smart phone functionality for Cisco VoIP
Agito's RIM BlackBerry support announcement
An assortment of communications companies
Apple iPhone 3G S
Apple will begin selling its new iPhone 3G S
Applying a Mask of 11111111.11111111.11111111.0000
Back in April the CCIE Security track changed
Before Cisco CTO Padmasree Warrior was hired by Cisco
Below are two addresses broken out from dotted decimal to binary and then redisplayed with dots separating octet boundaries
Bill Alderson - NetQoS Technology Consulting Officer
Black Hat attack on Cisco's network admission control (NAC)
Boas also led an educational session at the Gartner Security Summit
Boas shares his insight on the most prevalent threats to the enterprise network
Brings enterprise VoIP over WiFi for dual-mode BlackBerry smartphones
Careers
Certified by Cisco-Linksys technicians via Linksys ISO certification procedures
Chairman and CEO of Cisco China - Jim Sherriff
Cisco
Cisco 1811 IOS 12.4 with SDM is the standard for Cisco CCNA – Security Labs
Cisco 1811 is now standard on the Cisco CCIE Security Lab with IOS 12.4T
Cisco Flip Video Camera
Cisco NAC design flaws that the folks at Black Hat so alarmingly described
Cisco has produced a new CCIE count
Cisco has successfully made the market transition to selling refurbished Linksys directly to end users
Cisco is also offering its new home media ensemble
Cisco is celebrating its 25th anniversary this year
Cisco merged the Linksys channel partner program into Cisco's registered partner tier
Cisco only counts your CCIE number once
Cisco registered the shoplinksys.com domain name to sell refurbished Linksys
Cisco released its new worldwide CCIE count
Cisco sales plummeted $1.6 billion (Page 4) and operating income nose-dived $1 billion
Cisco shouldn’t until it works out the kinks
Cisco's executive biographies web page
Compromised the Cisco agent installed on the end system
Confirmation testimony before the U.S. Senate noteworthy
Customer-proven best practices of network access control (NAC)
DSL/Cable with the Cisco 1811 makes sense
Data Center
Desai previously served as Chief Operating Officer of Radware (NASDAQ: RDWR)
Didn’t RIM already support voice over WiFi?
Doesn’t RIM’s Ascendent acquisition give them this?
Dotted decimal addresses that end up falling under a non-octet boundary subnet mask
Dual CCIE #18532 Routing and Switching/Security - George Morton
Dual Cisco CCIE #18532 Security/R&S - George Morton
Dual-mode BlackBerry smartphones
During the first 9 months of Cisco's 2009 fiscal year under Warrior's leadership as CTO
Each eight bits being converted to decimal
Enables BlackBerry to be integrated into corporate PBXs and Unified Communications systems
Enterasys NAC is agent-less assessment based on a network scan
Enterasys security expert Dennis Boas
Enterasys uses multiple criteria beyond end system health assessment to assign and limit access granted to an end system
Enterprise concerns about the financial and management aspects of NAC
Enterprises that have standardized on the BlackBerry platform
FCC requires the old Bell System to report its T1 outage and that the repair needs to be under 4 hours for 95% of all T1 outages
Famous networking industry journalist
Feature allowing entry of a real address mask of your own to test if it is on the same or remote network
Flexible options with Enterasys NAC
HP and Liquid Computing
Half the smartphones in use in the US today are BlackBerry devices
How Cisco was working overtime AGAINST the Buy America provisions of the $7.2B broadband stimulus fund
How LiquidIQ Works
How useful do you find this subnet calculator?
I developed the Subnet Calculator to make learning more demonstrative and fun
I have worked for a handful of telecommunications companies of varying sizes
I voted for President Obama seeking change
In the subnet calculator the binary and the n
Interesting CCIE news from around the world
Internet access at the branch would run faster than traditional T1 services
Is Cisco getting ready to sell its refurbished gear directly to end users too?
Is George Morton on to something here?
It will kill the Cisco Flip video camera
Its been proven that a government official can be bribed with free dinners
Joel Bion - Senior Vice President of Cisco's Product Resiliency Research
LANs / WANs
Larry Strickling is confirmed as the new Administrator of the National Telecommunications and Information Administration (NTIA)
Last month Cisco missed the multiple CCIE numbers
Leaving Warrior with absolutely no future as the CTO of Motorola
Linksys by Cisco Certified Refurbished Product
Linksys by Cisco Wireless Home Audio System
Liquid Computing's definition of unified computing (LiquidIQ) is a flexible
LiquidIQ Business Continuity - Disaster Recovery Made Simple
LiquidIQ Technical Specifications
LiquidIQ Total Software Control - LiquidView Management
LiquidIQ can consolidate functions including web
LiquidIQ is the only UCS system that's listed by VMware to support VSphere
LiquidIQ is the only standards-based unified computing solution that’s in production today with paying customers
LiquidIQ was designed with built-in security
Made by Strickling during his March 19
Manny Rivelo - Senior Vice President of Cisco's Development Organization
Market failures for business class DSL/Cable is unacceptable
May 2009 vs. June 2009 Worldwide CCIE Count Comparison
Mobile features integrated into the BlackBerry
Morton believes with DSL/Cable services having up to 18Mbps of download availability
Morton's design would route all requests over the DMVPN-mGRE
Motorola operating earnings dropped $3.8 billion to a loss of $534 million
Motorola sales had collapsed by more than $4 billion (Page 1)
Multiple pipes with QoS for voice dedicated to one uplink and data services on the second link
My previous government service at the FCC provide me a unique background for the position of Assistant Secretary
NetQoS Subnet Calculator offers a view of every bit in the IP address to help network engineers understand how IP subnetting works
Network Management
Network World's Data Center Derby story acknowledged Liquid's first-mover advantage with its unified data center concept
Network performance management vendor NetQos
Network security vendor Enterasys
Nortel had purchased Alteon for $7.8 billion
Not too many senior executives are around from Cisco's early days
Omitted the years of Cisco service for both John Morgridge and Richard Justice because they are no longer full-time Cisco executives
Only 66% of all applicants who passed were for the CCIE Router and Switch track
Only one CCIE is a member of Cisco's 59 strong senior executive team
Pacific Rim CCIE numbers didn't change over the last 39 days
Pejman Roshan - Chief Marketing Officer of enterprise fixed mobile convergence (eFMC) vendor Agito Networks
Ponemon Institute reported
R & S + Security this year as the most popular dual CCIE track
R & S + Service Provider was 49% of the successful attempts for dual CCIE
RIM offers only data services over WiFi on their dual-mode smartphones
Radware recently purchased Nortel's application delivery business (Alteon) for the cut-rate price of $18 million
Refurbished product are mostly customer returns that meet original factory specifications
Refurbished product sold in the United States
Responsible for Cisco's IOS Software
SMB
Screenshot of the NetQoS Subnet Calculator
Security
Security mechanisms are used to validate the integrity and authenticity of the Enterasys agent for all server/agent communications
She was the CTO of Motorola and dismissed in her blog the introduction of the Apple iPhone
Showed that Stickling owned a large Cisco stock position
So we had 251 new CCIEs
Start by entering your address and mask in the calculator
Subject of Cisco's senior executive team came up
The Federal Reserve has moved from complex Cisco routers with T1 service to Cisco low end routers (ISR 1811) with DSL
The IOS 12.4 track with ISR routers is slowing down the Security CCIE track
The National Telecommunications and Information Administration (NTIA) granted Cisco its coveted Buy American Exception
The average tenure would be of the 61 executives listed on Cisco's Mount Rushmore
The change in the CCIE Security track has had a major impact on new security CCIEs
Until one takes some real addresses and experiments with how the mask affects the address bits
View Cisco's flash promotion for its home media ensemble
View more Cisco Tools
Vik Desai - President and Chief Executive Officer of unified computing infrastructure vendor - Liquid Computing
VoIP / Convergence
Warrior is now repeating her Motorola failure at Cisco
We're also now starting to see the CCIE Wireless track
We've experienced a new low for CCIE Security track
What exactly has Agito Networks announced this week?
What's your take on the implications of the new worldwide Cisco CCIE count?
Why is cellular-only PBX and UC integration incomplete?
Why the Enterasys NAC solution is doing so well
Why the Enterasys NAC solution is in such high demand
Wireless / Mobile
Within 9 months of the Apple iPhone introduction
On The Web
Twitter