What are Netflow and sFlow?

Supported by InfluxData

What is NetFlow?

NetFlow, introduced by Cisco and adopted by the network device industry at large, today is a widely supported standard used for network monitoring. NetFlow collects IP traffic as it enters or exits an interface, aggregates it into flows based on IP, port, class of service, protocol and source interface providing insight on bandwidth usage monitoring, congestion, potential DoS attacks. Also called a denial of service attack, a DoS attack occurs where a network is overrun with traffic unexpectedly — eventually taking it and all connected resources offline at the worst possible moment.

NetFlow follows a very straightforward process when collecting, sorting and analyzing your data. One of the main components of this is an IP flow, which consists of a group of packets that all contain the same IP attributes. Once a package is forwarded within a router or switch, it is examined and its attributes are broken down.

Another important element is the NetFlow cache, which is a database where all information is condensed and stored once those packets have been examined. Next comes the command line interface, known as CLI for short. This provides an immediate view of all network traffic and, because of its real-time nature, is ideal for troubleshooting certain types of issues you may be experiencing.

Alternatively, you may choose to expert your data to a NetFlow Collector open source solution and examine it that way. There are hardware-based and software-based collectors that you can choose from depending on your needs and what you're trying to accomplish at the moment.

What is sFlow?

sFlow is also an industry standard used for network monitoring. It defines a packet sampling (not all traffic) technology to provide continuous statistics on any protocol (L2, L3, L4, and up to L7). As it uses sampling, it can scale to high-speed networks. It is supported by multiple network device manufacturers and network management software vendors.

sFlow is unique in that it uses mandatory sampling to achieve maximum scalability. Because of this, it is ideal for use in high-speed networks — usually those with gigabit per second speeds or higher. Overall, a typical sFlow system will be broken down into two distinct types of sampling: that having to do with a random sampling of packets or larger, application layer operations.

Regardless, flow samples and counter samples are sent as sFlow diagrams to a main server running software that is built to analyze and report on all network traffic as it happens. This is also commonly described as an sFlow collector and it, too, is ideal for troubleshooting network issues as quickly as possible.

NetFlow vs sFlow

NetFlow and sFlow have two slightly different initial purposes. sFlow was designed to be compatible on as many different platforms as possible — including on network switches and routers. It uses a dedicated chip that is built into the hardware itself that takes the burden of analysis off of the CPU and the internal memory of the router, switch or other hardware in question. NetFlow, on the other hand, was software-based proprietary technology that was designed to be used exclusively on Cisco's Internet Operating System, or IOS.

Likewise, the way that these two solutions deal with packets is totally different. sFlow is pure packet sampling technology, which means that it's next to impossible to get 100% accurate values for traffic. NetFlow, on the other hand, can be nearly totally accurate and can track all incoming sessions on each enabled interface.

The history of sFlow vs NetFlow

NetFlow was originally introduced on Cisco routers in 1996. The first implementation, which is now obsolete, was restricted to IPv4 and did not include IP mask or AS numbers capabilities. The most common version is version five, which was released in 2009. It expanded compatibility to many routers from different brands, but it still was restricted to IPv4 flows.

sFlow was originally released by way of the sFlow.org consortium in 2004, in order to further "develop and promote" solutions based on the underlying technology. Just a few of the vendors that work directly with sFlow include Arista Networks, Cisco, Dell, Huawei, IBM, Juniper, LG-Ericsson and others. Thanks largely to the way that it makes up for certain limitations inherent in NetFlow, sFlow has become the leading standard for monitoring high-speed switched networks in existence.

NetFlow & sFlow network monitoring with InfluxData

InfluxData supports sFlow with an sFlow Telegraf plugin. This plugin provides support for acting as an SFlow V5 collector in accordance with the specification from sflow.org.

InfluxData also supports NetFlow and sFlow network monitoring via integration with network traffic analyzer appliances such as ntopng. ntopng can act as a collector of NetFlow/sFlow messages as well as raw packets inspector. ntopng analyzes network traffic in real time according to criteria such as host, interfaces and flows. It extracts metadata from captured packets and uses this information to identify who/what (application protocols) are generating the flows in the network and how much bandwidth is being consumed.

Both methods may produce a high number of series which could cause a high load on your database. Use the following techniques to avoid cardinality issues:

  • Use metric filtering options to exclude unneeded measurements and tags
  • Write to a database with an appropriate retention policy
  • Limit series cardinality in your database using the max-series-per-database and max-values-per-tag settings
  • Monitor your databases series cardinality
  • Consult the InfluxDB documentation for the most up-to-date techniques

Summary

Obviously, the decision of which solution to use will ultimately come down to you and what you're trying to accomplish. If you need a solution that will work on as many different devices as possible, sFlow is obviously the way to go because it is supported by multiple network device manufacturers and network management solution vendors. NetFlow, on the other hand, offers near total accuracy into who is communicating through a device — all while having a very minimal impact on its CPU. It will be compatible with a smaller number of devices, though.

All of these are important things to keep in mind before deciding which option to go with. Still have questions? Read the NetFlow and sFlow FAQ below.

Frequently asked questions about NetFlow and sFlow

Why do you need flow?

Flow data is very important in terms of network monitoring, as it allows users to visualize traffic patterns throughout the entire network. Teams can easily monitor when and how frequently users are accessing specific information, all so that they can make better and more informed choices regarding resource allocation moving forward. Flow data is also very helpful in terms of network planning — teams can prioritize maintenance and upgrades in terms of the number of ports, higher-bandwidth interfaces and more.

How are flows created?

A "flow" is simply a term used to describe active IP network traffic as it flows in or out of an interface. Flows usually contain a wide range of different pieces of information about devices and packets including points of origin, destination, volume and even the paths they took to get from one point to another.

What do you do with flow data?

Another one of the most important tasks you can accomplish with flow data has to do with security analysis. Using accurate and real-time flow data, teams can detect changes in network behavior that may fall outside the normal, predictable way of doing things. In other words, if something strange changes that may indicate that a data breach is coming, you can know about it and do something about it immediately — all in the name of stopping a small problem now before it becomes a much bigger one down the road.

Scroll to Top