On Wed, 2 Jan 2019 at 12:32, Dave Bell <[email protected]> wrote: > Netflow/Jflow/IPFIX does not sample packets. It samples flows. A flow is > (could be?) made up of many packets.
Everyone probably means the same thing here, but the way you are saying it, is very confusing to me. Sampling means we do not look at every packet, we use some algorithm like 'every nTh' to choose which _packet_ gets looked at. After we've chosen which _packet_ gets looked at, we store state or flow for that packet, if we already have applicable flow stored, we add packet/byte count in that stored flow. Further, ipfix receiver will then multiply packet and byte count of flows by sampling ratio, to approximate actual amount of packets/bytes seen in given flow. There are few reasons to choose non 1:1 sampling algorithm: - regulatory requirements - HW can't support 1:1 - desire to see fewer flows In absence of specific reason to not do 1:1, you should do 1:1. Even with 1:100 many flows will be just invisible to you, because there are lot of short flows and statistically you'll never pick any packet out of that flow, so you'll never record it. Sampling will necessarily hide information, which is fine for traffic volume trending, ddos etc. Trio does IPFIX in HW, it can inspect each and every packet with no different cost. So if your flow table can survive it, do 1:1 and get more visibility. -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
