[ARGUS] PAPER: Building a Better Netflow
eric
eric at catastrophe.net
Wed Aug 4 15:08:42 EDT 2004
Some of you might be interested in reading this:
``Network operators need to determine the composition of the traffic
mix on links when looking for dominant applications, users, or
estimating traffic matrices. Cisco's NetFlow has evolved into a
solution that satisfies this need by reporting flow records that
summarize a sample of the traffic traversing the link. But sampled
NetFlow has shortcomings that hinder the collection and analysis of
traffic data. First, during flooding attacks router memory and
network bandwidth consumed by flow records can increase beyond what
is available; second, selecting the right static sampling rate is
difficult because no single rate gives the right tradeoff of memory
use versus accuracy for all traffic mixes; third, the heuristics
routers use to decide when a flow is reported are a poor match to
most applications that work with time bins; finally, it is
impossible to estimate without bias the number of active flows for
aggregates with non-TCP traffic.''
<http://www.caida.org/outreach/papers/2004/tr-2004-03/tr-2004-03.pdf>
More information about the argus
mailing list