[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

sFlow vs netFlow/IPFIX

On 29 Feb 2016, at 14:26, Pavel Odintsov wrote:

> From my own experience sflow should be selected if you are interested 
> in internal packet payload (for dpi / ddos detection) or you need fast 
> reaction time on some actions (ddos is best example).

This does not match my experience.  In particular, the implied canard 
about flow telemetry being inadequate for timely DDoS 
detection/classification/traceback grows tiresome, as it's used for that 
purpose every day, and works quite well.

If one is also using an IDMS-type device to mitigate DDoS traffic, the 
device sees the whole packet, anyways.

Roland Dobbins <rdobbins at arbor.net>