In the quest for better network management, increasing numbers of administrators are turning to flow monitoring. The question arises, however, which is better, sFlow or NetFlow? Both of these technologies have their benefits and are certainly much better solutions for detailed, enterprise-wide traffic analysis than the alternative of deploying numerous traffic analyzers. Deciding which to use requires taking a close look at how each technology works.

COMMON CHARACTERISTICS

NetFlow and sFlow are "Flow" technologies supported by some routers and switches. They consist of two elements. The first is a Flow generator, a switch or router which has NetFlow or sFlow reporting technology activated. The device then sends a steady stream of packets over the network containing information such as source and destination IP address, protocols and interfaces. A single Flow generator will typically send out as little as one packet every ten seconds or as much as 50 packets per second, depending on its configuration, number of ports, and amount of traffic flowing through it.

The other element is the Flow collector which receives the data from one or more Flow generators. The collector stores the information coming from the Flow generators and provides the administrator with reporting and analysis.

As the Flow collector creates its archive of traffic details, a front-end uses this data to provide the network administrator with details on who are the top talkers on a link, who they are communicating with, what protocol/application they are using and how long the connections last. This information can then be used for capacity planning, usage control, charge back, security and incident resolution.

Packet analyzers are an alternative to Flow technologies and, in fact, provide greater detail. However, packet analyzers also consume more resources. Because Flow technology can typically provide the information necessary to resolve 85 percent of incidents that would otherwise require the use of packet analyzers, packet analyzers become less important, though not completely obsolete.

FULL FLOW ANALYSIS

NetFlow started as a proprietary technology developed by Cisco Systems. It is included in Cisco's Internetwork Operating System (IOS), which comes embedded in its network hardware. The most widely deployed is version 5; however, v7 and v9 are becoming increasingly popular. Recently, the Internet Engineering Task Force released a proposed standard called IP Flow Information eXport (IPFIX), which is based on NetFlow v9's data export format. (Further details on the specification are available at www.ietf.org/ html.charters/ ipfix-charter.html) Vendors supporting NetFlow include Cisco, Enterasys Networks, Extreme Networks, Foundry Networks, Juniper Networks, Riverstone Networks (recently acquired by Lucent) and Packeteer .

NetFlow is a technology whereby the router keeps track of all conversations inbound on each interface it is enabled on. It examines packets based on seven key fields (source and destination IP address, source and destination port, Layer 3 protocol type, type-of-service byte and input logical interface). If two packets match on all seven criteria, it assigns them to the same flow or conversation.

Once the conversation has ended or is summarized it is sent to the collector. A single NetFlow packet can be very large and contains conversation details on anywhere from 24-30 conversations. If NetFlow is properly configured and the hardware isn't overloaded, this technology can be nearly 100 percent accurate at representing who is communicating through the device. Generally the load on the NetFlow capable hardware is negligible as is the volume of traffic it causes across the network.

The commands to enable NetFlow are available via the hardware vendors. Typically vendors selling collectors also list the necessary configurations.

Earlier versions of NetFlow were an inbound only technology. This means that traffic sent out an interface is not counted. NetFlow v9, however, gathers both inbound and outbound information. Further information on NetFlow is available from Cisco at www.cisco.com/ en/ US/ products/ ps6601/ products_ios_protocol_group_home.html.

SWITCH SAMPLING

Like NetFlow, sFlow is a push technology that sends reports to a collector. But, while NetFlow is a software based technology, sFlow uses a dedicated chip that is built into the hardware. This approach removes the load from the router or switch's CPU and memory. Originally developed by InMon Corp., sFlow products have been available since 2002.

Alcatel, Allied Telesis, Extreme Networks, Foundry Networks, HP, Hitachi, Juniper Networks, NEC and a few others have devices with sFlow chips. sFlow isn't nearly as widely deployed as NetFlow so fewer collectors are available. The most current version is Version 5; however, Versions 2 and 4 are most widely deployed at this time. Further details on the standard can be found at www.sflow.org.

sFlow is a sample-only technology where every X packet is sampled, the length noted, the majority of the packet is discarded and off it goes to the collector. Because the technology is sample based, accurate representation of 100 percent of the traffic per interface is nearly impossible. Complex algorithms have been proposed to statistically manipulate the collected data to represent total traffic with a probability of accuracy.

Despite the sample architecture of sFlow, this technology is still incredibly useful and provides fantastic insight for the network administrator who feels he/she is flying blind on the details of the traffic on the network.

The commands to enable sFlow are available from the hardware vendors. Typically vendors selling collectors also list the necessary configurations.

SOFTWARE COLLECTORS

To access the data generated by either a sFlow- or NetFlow-enabled device requires a collector. A Google search on either sFlow or NetFlow will drum up a plethora of vendors with collector analyzers, many of whom support the analysis of both. Some of the software comes from the hardware manufacturers. HP's OpenView and Foundry Network's IronView both support sFlow.

There is also some decent freeware such as ntop (www.ntop.org), a network traffic probe that shows the network usage. Another popular collectors is the Scrutinizer Flow Analyzer from Plixer International Inc., which works with both NetFlow and sFlow data. A free version gives data at five minute intervals for a 24-hour period on an unlimited number of flows. There are also two commercial versions of Scrutinizer that extend its functionality up to five switches/routers or to an unlimited number of devices.

Fortune 500 enterprises, however, would be more likely to use something like NetQoS, Inc.'s ReporterAnalyzer appliance or the options in their HP OpenView or IBM Tivoli management suites. ReporterAnalyzer (www.netqos.com/ solutions/ reporteranalyzer/ index.html), for example, is designed for use on the world's largest enterprise networks and is part of NetQoS Performance Center suite of management software. Technology services firm Schlumberger, for example, uses it to analyze traffic on the company's WAN, which connects 600 sites in more than 100 countries.

For IBM customers, several products provide NetFlow support. For example the IBM Tivoli Usage and Accounting Manager V6.1 (www.ibm.com/ common/ ssi/ rep_ca/ 5/ 897/ ENUS206-215/ ENUS206-215.PDF), based on technology acquired from the purchase of CIMS Lab Inc., uses NetFlow as one method of determining usage for accounting and charge back purposes.

Similarly, HP offers NetFlow products. Among them is its Performance Insight Report Pack for NetFlow Interfaces 1.0 (http://h20229.www2.hp.com/ products/ ovpi/ ds/ ovpi_net_ds.pdf), which integrates with other HP Performance Insight and OpenView software such as the Network Node Manager advanced edition. Additional products from IBM or HP that support NetFlow can be located by performing a query on the companies' websites.

ALL OF THE ABOVE

Both Flow technologies offer a significant improvement over just using SNMP trending. So, which standard should you support, sFlow or NetFlow?

The answer is probably both. To begin with, you are limited by which protocol your hardware manufacturer supports. The hardware will typically only support one or the other. If you have a purely Cisco network, all you will need to support is NetFlow. If, however, you have HP Procurve switches and Cisco routers, then you would use sFlow for the switches and NetFlow for the routers. It is not uncommon to see sFlow on the LAN and NetFlow on the WAN/Internet.

In selecting a collector, therefore, it is best to choose one that will support both protocols. This gives greater vendor independence when selecting new components, rather than being locked into a particular brand or type of hardware. ENS