[c-nsp] netflow sampling

Marlon Duksa mduksa at gmail.com
Tue May 19 17:08:43 EDT 2009

ok. Thanks. So there is a possibility that some flows will never be sampled
(accounted for). And even a bigger possibility that more packets of the same
flow will never be sampled.
It looks to me that the accuracy of such approach is pretty bad. How can you
use this for any meaningful accounting, much less billing.

Pardon my ignorance on the subject, just trying to understand the concept.

And you guys who uesed it are happy with the accuracy?

On Tue, May 19, 2009 at 1:34 PM, <sthaug at nethelp.no> wrote:

> > But where is this sampling coming from? Is it sampling per flow - you
> count
> > some packet of the flow but not all? Or is it that you sample some flows
> > (each sampled flow accurately counting) but not the others, and you do
> this
> > randomly?
> Deterministic sampling: Every Nth packet has flow data extracted and
> added to the flow cache. N is often 1000 or similar.
> Random sampling: *On average* every Nth packet has flow data extracted
> and added to the flow cache. Because the sampling is not deterministic,
> it has somewhat better statistical properties.
> An obvious corollary of sampling: Without sampling A flow of, say, 20
> packets, will generate *one* flow record. With sampling, if at least
> *one* packet from such a flow is sampled, you'll still get one flow
> record. Thus, 1:N sampling will *not* reduce your netflow traffic, going
> to your collector, by a factor of N. It will be reduced - just not as
> much as you might think.
> > Also in relation to netflow I see a lot of info like that '1:1500' and I
> > think this is related to purchasing/licensing options.What does this
> '1:x'
> > ratio means?
> Nothing to do with licensing, it simply refers to the sampling rate.
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no

More information about the cisco-nsp mailing list