[c-nsp] netflow sampling

sthaug at nethelp.no sthaug at nethelp.no
Tue May 19 16:34:23 EDT 2009

> But where is this sampling coming from? Is it sampling per flow - you count
> some packet of the flow but not all? Or is it that you sample some flows
> (each sampled flow accurately counting) but not the others, and you do this
> randomly?

Deterministic sampling: Every Nth packet has flow data extracted and
added to the flow cache. N is often 1000 or similar.

Random sampling: *On average* every Nth packet has flow data extracted
and added to the flow cache. Because the sampling is not deterministic,
it has somewhat better statistical properties.

An obvious corollary of sampling: Without sampling A flow of, say, 20
packets, will generate *one* flow record. With sampling, if at least
*one* packet from such a flow is sampled, you'll still get one flow
record. Thus, 1:N sampling will *not* reduce your netflow traffic, going
to your collector, by a factor of N. It will be reduced - just not as
much as you might think.

> Also in relation to netflow I see a lot of info like that '1:1500' and I
> think this is related to purchasing/licensing options.What does this '1:x'
> ratio means?

Nothing to do with licensing, it simply refers to the sampling rate.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

More information about the cisco-nsp mailing list