What is the difference between sFlow and NetFlow?

Both NetFlow and sFlow are network traffic monitoring tools, and both have the word "flow" in their names. Beyond this, there are many differences between these two resources.

NetFlow is a proprietary Cisco design that aggregates flow information at the point of entry to an interface. It stores this information and exports it.

sFlow is a standard supported by many different companies. It does packet sampling and focuses on packet traffic at layer 2 of the OSI model. sFlow does random sampling to determine flow models. It involves two different methods: statistical sampling and random sampling.

NetFlow offers a comprehensive analysis of flow through three major aspects of operation: flow exporter, flow collector and flow analysis. It aggregates IP addresses and other information. While a sampling option is available on NetFlow, the default is for it to capture all traffic.

NetFlow and sFlow have different OSI operating models. They involve different methods and work differently. Some IT people have expressed a preference for NetFlow based on a number of benefits. One big benefit is the difference between a randomly sampled data set and a whole data set. The random sampling of sFlow can be frustrating for some kinds of network security work. Others cite better vendor support for NetFlow, as well as better ability to apply it over a WAN.

Both of these tools are popular for network analysis. Understanding the difference between both of them is key to building a better toolkit for taking the pulse of an Internet-connected network.