[c-nsp] netflow sampling
Marlon Duksa
mduksa at gmail.com
Tue May 19 17:29:41 EDT 2009
I see. Thanks. Do you know of any 'non-sampled' implementation (by vendor)
or deployment (network) where all traffic is accounted for? What would you
normally use for a more accurate accounting/billing?Thanks,
Marlon
On Tue, May 19, 2009 at 2:18 PM, <sthaug at nethelp.no> wrote:
> > ok. Thanks. So there is a possibility that some flows will never be
> sampled
> > (accounted for). And even a bigger possibility that more packets of the
> same
> > flow will never be sampled.
>
> Absolutely.
>
> > It looks to me that the accuracy of such approach is pretty bad. How can
> you
> > use this for any meaningful accounting, much less billing.
>
> The accuracy is actually pretty good, as long as you remember that it is
> *sampled*, and what you get is statistics, not accurate accounting. You
> should *not* use sampled netflow for accounting/billing.
>
> We use sampled netflow for two main purposes:
>
> - Traffic planning - seeing what ASes we exchange the most traffic with,
> in order to find possible peering candidates, etc.
> - Abuse handling - after the fact analysis of DDoS attacks, port scans
> and similar.
>
> For our purposes, sampled netflow works well here.
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
>
More information about the cisco-nsp
mailing list