On 2012-07-13 19:30, David Hubbard wrote: [..]
We don't use it for billing purposes, mostly for spotting malicious remote hosts doing things like scans, spotting traffic such as weird ports in use in either direction that warrant further investigation, [..]
The primary difference between NetFlow/IPFIX and sFlow is that NetFlow is unsampled while sFlow is sampled. As such, for these kind of cases it might be more worthy to have NetFlow than sFlow as you get all the source/dest ports. On the other hand sFlow can give you packet headers and that might be useful if you get every first say 200 bytes of every flow. Though depending on the hardware and traffic volume and traffic mix you might have to sample anyway. Oh and there is a small difference in the packet formats and the idea behind why something exists, but that won't hurt you too much. Greets, Jeroen