Cisco NetFlow vs. Sniffer

schadmin · ‎03-27-2006

We need to monitor our bandwidth usage and traffic on our WAN links and I was wondering what the difference in using netflow versus using a sniffer product? Any opinions would be appreciated.

Patrick Laidlaw · ‎03-27-2006

Ken,

It's kinda personal preference on how you monitor your bandwidth for you WAN. I like using a program called CACTI www.cacti.net gives you MRTG like graphs but much simpler to add devices to it. It uses snmp to talk to the routers to pull interface statistics. This will give you the input and output averages of your interfaces over a period of five minutes and capture those 5 minutes averages as historical data giving you a base line of traffic.

If your looking for a more granular approch you can use netflow to get a per address status of traffic transfered. You'll have to use a third party collector like ntop or some other netflow collector to do reports.

Sniffer based solutions can be useful in captureing per user statistics. Depending on how your wan is laid out you may have to build multiple instances for each site.

Patrick

Jan Nejman · ‎04-03-2006

Hello.

Difference is in the depth of monitoring.

1. SNMP monitoring - it is best to monitoring L2,

and bandwidth, but you cannot see which host or application is using your line. (tools as mrtg, nagios ...)

2. Netflow monitoring - nice for monitoring L3/L4 information, you can see who communicate with who, which application consumes line, etc... (our company is developing netflow monitoring solution see: http://www.caligare.com for more information)

3. Sniffer - most detail monitoring, you can see application data. Disadvantage is that you can monitor only one line. Sniffer reads all data on monitored line. (you can use tools as: etherreal, tcpdump, etc...)

Jan

ja1064 · ‎06-02-2006

we have a simple hub and spoke network (mpls). i can get utiliztion reports (Concord Ehealth) on any link. We have sites that will have intermittent and sometimes sustained utilization. i have 2610 at each site. I assume that Netflow identify by ip address not by user id (and in our case a Netware environment).

then your product makes it easy to see what ip address is doing?

y-korolevski · ‎06-03-2006

I would say that Sniffer is more in-depth packet decoder capable then netflow. One the other hand you would need to connect the sniffer to your Wan interface in order to collect traffic, thus potentially dirsupt connectivity. With netflow its a matter of configuring the router.

Additional consideration is that Netflow may impose a heavy load on the router and you would need a proper machine to collect the large amounts of data reported while the Sniffer doesn't overload the routers nor any in-bound bandwitdh.

HTH,

Yigal

http://www.nms-guru.com

hgru · ‎06-06-2006

Sniffer is more a troublshooting tool than a tool for constant monitoring. If you sniff you capture every packet and store it on you harddrive. Say you wan to do 24hour monitoring 7 days a week. I need an incredible big harddrive.

Netflow collects statistics not the whole packet. So that is better suitable for monitoring.

fisko · ‎06-13-2006

Hello! The difference is that ipflow is statictics about ip traffic that is stored in udp packet that is send from time to time till NMS station, and snniffing is real time inspection. It depends what You need. If You want to monitor real and I mean REAL TIME traffic with packet structure it is better to use sniffing products.(Generate a lot of data...)

If You want to see almost real time IP statistics who use what protocol source and destination IP and port without real time packet structure use ipflow.....(see great product http://netflow.cesnet.cz/)

If You need just banwidth statistics use SNMP with Cacti...Mrtg.....