Today I was sitting in a room with some colleagues and a debate started about which one is better - NetFlow vs. sFlow. Part of the people believed that NetFlow is better because it doesn't just sample the data (by default anyway) and sends all of the details. Part of the people liked sFlow better because it automatically samples the data and keeps the database size more manageable. Some of the people claimed that sFlow is better because it's processed at a hardware level and some of the people claimed that this was also true of some NetFlow devices. Some of the folks claimed that NetFlow was better at analyzing layer 3 traffic and some of the people claimed that sFlow was better for analyzing layer 2 traffic.

So, as the resident expert, I have decided to go out on a limb and end this debate once and for all.

It just plain doesn't matter.

Sure, I could debate the facts above but when you really think about it, none of it really matters. Stop worrying about whether NetFlow or sFlow is better - just use them. Most devices will only support one or the other - NetFlow or sFlow - so unless you're planning to replace your gear you probably don't have a choice. Likewise, if you're looking to purchase new networking hardware ask simply that it supports flow-based traffic analysis - Netflow, sFlow, or ipFix - and then move on to other features.

When it comes to Network Management Systems (NMSs), ensure the system you choose has an integrated flow collector and that it supports both NetFlow and sFlow. The Orion NetFlow Traffic Analyzer is a great example of this and of course there are many more out there. The real key is that it should integrate seamlessly into the rest of your NMS so that you can see the impact that the traffic is having upon other factors like CPU load, memory, buffer performance, and application responsiveness.

Keep in mind, no matter what flow protocol you use you're going to be collecting A LOT OF DATA. How you manage that data is the real key to successful traffic analysis.


Flame on...
Josh
Follow me on Twitter