About Flows
A flow is a measure of data transferred between two particular hosts. It consists of all the traffic for a period of time that has these same characteristics:
- Same Source IP address and port
- Same Destination IP address and port
- Same layer-3 protocol type (TCP, UDP, ICMP, etc.)
- Same ToS (type of service)
- Same input logical interface (e.g., ifIndex)
About NetFlow
NetFlow is a Cisco protocol that lets a network manager get insight into the kind of traffic flowing on the network, and which computer(s) are sending it. NetFlow exporters (generally routers and switches) send information about the flows passing through them to a NetFlow collector for storage and analysis. NetFlow is also considered a suite of protocols that include IPFIX and J-Flow, Juniper Networks version of NetFlow.
NetFlow defines a "flow" as a unidirectional series of packets from IP A to IP B, using some protocol (TCP/UDP/ICMP/?). When the packets used either TCP or UDP, then the flow is further specified by a pair of ports; for instance, 10.20.30.40:53823->50.60.70.80:443 TCP. Often, since most communications require both sides to transmit packets, NetFlow reports two flows associated with every communication, accounting for the packets and bytes that went in either direction. A proper flow collector and analyzer will correlate these with each other for you, so that you can see a report of a full conversation.
About sFlow
The sFlow protocol is completely different from NetFlow in that it doesn't examine every packet; it samples packets at a specified rate. As a result, it is more efficient than NetFlow, but certain short communications may go undetected.
You can configure sFlow through SNMP, and can specify a different sample rate in each exporter.
