[c-nsp] netflow sampling

Marlon Duksa mduksa at gmail.com
Tue May 19 17:29:41 EDT 2009

I see. Thanks. Do you know of any 'non-sampled' implementation (by vendor)
or deployment (network) where all traffic is accounted for? What would you
normally use for a more accurate  accounting/billing?Thanks,

On Tue, May 19, 2009 at 2:18 PM, <sthaug at nethelp.no> wrote:

> > ok. Thanks. So there is a possibility that some flows will never be
> sampled
> > (accounted for). And even a bigger possibility that more packets of the
> same
> > flow will never be sampled.
> Absolutely.
> > It looks to me that the accuracy of such approach is pretty bad. How can
> you
> > use this for any meaningful accounting, much less billing.
> The accuracy is actually pretty good, as long as you remember that it is
> *sampled*, and what you get is statistics, not accurate accounting. You
> should *not* use sampled netflow for accounting/billing.
> We use sampled netflow for two main purposes:
> - Traffic planning - seeing what ASes we exchange the most traffic with,
> in order to find possible peering candidates, etc.
> - Abuse handling - after the fact analysis of DDoS attacks, port scans
> and similar.
> For our purposes, sampled netflow works well here.
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no

More information about the cisco-nsp mailing list