nanog mailing list archives
Re: Real world sflow vs netflow?
From: Peter Phaal <peter.phaal () gmail com>
Date: Tue, 17 Jul 2012 10:16:11 -0700
In the case of sFlow, the collector determines how to report bytes. The sFlow agent reports the size of the sampled layer 2 frame (along with the first 128 bytes of the frame) and the collector can choose whether to report L2 bytes, L3 bytes, L4 bytes etc. by subtracting the sizes of the headers. It seems likely that the sFlow collector used in the tests was reporting L3 bytes since the numbers were in agreement with the numbers reported by NetFlow. Peter On Tue, Jul 17, 2012 at 8:32 AM, Simon Leinen <simon.leinen () switch ch> wrote:
James Braunegg writes:That being said both netflow and sflow both under read by about 3% when compared to snmp port counters, which we put to the conclusion was broadcast traffic etc which the routers didn't see / flow.That's one reason, but another reason would be that at least in Netflow (but sFlow may be similar depending on how you use it), the reported byte counts only include the sizes of the "L3" packets, i.e. starting at the IP header, while the SNMP interface counters (ifInOctets etc.) include L2 overhead such as Ethernet frame headers and such. -- Simon.
Current thread:
- Re: Real world sflow vs netflow?, (continued)
- Re: Real world sflow vs netflow? Łukasz Bromirski (Jul 14)
- Re: Real world sflow vs netflow? Mikael Abrahamsson (Jul 14)
- Re: Real world sflow vs netflow? Łukasz Bromirski (Jul 14)
- Re: Real world sflow vs netflow? Paolo Lucente (Jul 15)
- Re: Real world sflow vs netflow? Nick Hilliard (Jul 15)
- RE: Real world sflow vs netflow? James Braunegg (Jul 16)
- RE: Real world sflow vs netflow? David Hubbard (Jul 16)
- RE: Real world sflow vs netflow? James Braunegg (Jul 16)
- Re: Real world sflow vs netflow? Łukasz Bromirski (Jul 14)
- Re: Real world sflow vs netflow? Simon Leinen (Jul 17)
- Re: Real world sflow vs netflow? Nick Hilliard (Jul 17)
- Re: Real world sflow vs netflow? Peter Phaal (Jul 17)