[c-nsp] netflow sampling

sthaug at nethelp.no sthaug at nethelp.no
Tue May 19 17:18:59 EDT 2009

> ok. Thanks. So there is a possibility that some flows will never be sampled
> (accounted for). And even a bigger possibility that more packets of the same
> flow will never be sampled.


> It looks to me that the accuracy of such approach is pretty bad. How can you
> use this for any meaningful accounting, much less billing.

The accuracy is actually pretty good, as long as you remember that it is
*sampled*, and what you get is statistics, not accurate accounting. You
should *not* use sampled netflow for accounting/billing.

We use sampled netflow for two main purposes:

- Traffic planning - seeing what ASes we exchange the most traffic with,
in order to find possible peering candidates, etc.
- Abuse handling - after the fact analysis of DDoS attacks, port scans
and similar.

For our purposes, sampled netflow works well here.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

More information about the cisco-nsp mailing list