> ok. Thanks. So there is a possibility that some flows will never be sampled > (accounted for). And even a bigger possibility that more packets of the same > flow will never be sampled.
Absolutely. > It looks to me that the accuracy of such approach is pretty bad. How can you > use this for any meaningful accounting, much less billing. The accuracy is actually pretty good, as long as you remember that it is *sampled*, and what you get is statistics, not accurate accounting. You should *not* use sampled netflow for accounting/billing. We use sampled netflow for two main purposes: - Traffic planning - seeing what ASes we exchange the most traffic with, in order to find possible peering candidates, etc. - Abuse handling - after the fact analysis of DDoS attacks, port scans and similar. For our purposes, sampled netflow works well here. Steinar Haug, Nethelp consulting, [email protected] _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
