# NetFlow and sFlow

## NetFlow <a href="#netflow" id="netflow"></a>

### About NetFlow <a href="#about-netflow" id="about-netflow"></a>

NetFlow is a telemetry protocol that allows for the collection of IP statistics on interfaces where it is enabled. a "flow" is a unidirectional data set. That is to say, it's one side of the connection not both. Once selected and collected this data is then exported in binary format to a remote collector. Typically, routing platforms export netflow whereas switching platforms export sflow.

### NetFlow Versions Supported <a href="#netflow-versions-supported" id="netflow-versions-supported"></a>

* v5
* v9
* v10 (IPFIX)

#### NetFlow Version Differences of Note <a href="#netflow-version-differences-of-note" id="netflow-version-differences-of-note"></a>

* v5 does not support IPV6 due to its specification. IP fields are not big enough to hold an IPV6 address
* v9, v10 are template based which gives flexibility however these templates are often set by vendors and not configurable by the end user.
* v9, v10 templates are NOT sent with the records themselves but at an independent interval. Templates have to be received before data can be decoded. Also if scaling horizontally, templates need to be replicated to other collectors or they will not be able to decode flows.
* v9, v10 sample rate is no longer reported in every flow packet. It it typically defined in an options template which comes at a configurable interval.

#### NetFlow Configuration Recommendations <a href="#netflow-configuration-recommendations" id="netflow-configuration-recommendations"></a>

* Set `active-timeout` to 60
* Set `run-length` to 0 if it exists on your platform
* Only sample input on chosen interfaces
* Follow sample rate table below based on traffic volume, and then adjust once configured

## sFlow <a href="#sflow" id="sflow"></a>

### About sFlow <a href="#about-sflow" id="about-sflow"></a>

sFlow is a telemetry protocol that allows for the collection of IP statistics and counters on interfaces where it is enabled. sFlow is implemented on most switching platforms and employs packet sampling as a means to select which IP communications to export to a specified collector. sFlow copies the entire packet header so there is enhanced visibility into other layers.

### sFlow Versions Supported <a href="#sflow-versions-supported" id="sflow-versions-supported"></a>

* v5

#### sFlow Configuration Recommendations <a href="#sflow-configuration-recommendations" id="sflow-configuration-recommendations"></a>

* Only sample input/ingress on chosen interfaces
* Follow sample rate table below based on traffic volume, and then adjust once configured
* Note: Netography does not currently ingest counter records

### Comparing NetFlow and sFlow <a href="#comparing-netflow-and-sflow" id="comparing-netflow-and-sflow"></a>

#### Flow Sampling (NetFlow) vs. Packet Sampling (sFlow) <a href="#flow-sampling-netflow-vs-packet-sampling-sflow" id="flow-sampling-netflow-vs-packet-sampling-sflow"></a>

There is no superior solution between the two as each has its advantages and disadvantages. With flow sampling, the device picks a 5-tuple (source IP, source port, destination IP, destination port, protocol) depending on the sampling algorithm and tracks relevant statistics for the flow's duration, then exports them at the appropriate time. With packet sampling, the exporter picks every Nth packet and reports the details of that packet.

#### NetFlow Advantages <a href="#netflow-advantages" id="netflow-advantages"></a>

* Full byte and packet counts for a chosen flow
* All seen TCP Flags for a chosen flow
* Flow start time, end time, and duration

#### sFlow Advantages <a href="#sflow-advantages" id="sflow-advantages"></a>

* Full packet header and up to 128 bytes of payload
* Less latency in delivering records
* Utilizes fewer resources on devices generating records

#### Netography Use Case Recommendation <a href="#netography-use-case-recommendation" id="netography-use-case-recommendation"></a>

NetFlow has a considerable advantage in understanding the complete communication between various devices on the network. However, sFlow will provide more timely updates, so if understanding traffic within seconds is desirable, then sFlow may be a better choice. If the packet headers provided by your particular devices is useful in the sFlow records, that may be a benefit to sFlow.

## Sample Rate Guide Table <a href="#sample-rate-guide-table" id="sample-rate-guide-table"></a>

The table below is a good starting point for configuring a sample rate based on the network device bandwidth volume. Once you see the volume of flow records generated with this sample rate, consider making additional adjustments to tune this setting. A lower sample rate will produce more records but provide a higher level of granularity.

| Bandwith              | Sample Rate |
| --------------------- | ----------- |
| N < 1 Gbps            | 10          |
| 1 Gbps < N < 10 Gbps  | 100         |
| 10 Gbps < N < 25 Gbps | 1000        |
| N > 25 Gbps           | 8000        |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/ingest-network-traffic-logs/netflow-sflow/netflow-and-sflow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.