As Nathan pointed out in his sFlow blog post, accuracy is a frustrating problem for many sFlow customers. Example: you know that the traffic on a specific link is made up of ~50% http and ~40% ms-sql. Why is Scrutinizer 6.x displaying that ms-sql is only 0.14% of the total traffic! AAAHHHHHHH.
Here is why: sFlow switches/routers send Scrutinizer two types of data:
1. Throughput: Total in / out traffic per interface
2. Samples: Packet samples
Now, what does Scrutinizer v6.X do with the two types of sFlow data? When Scrutinizer renders a protocol or application trend, the first thing it does is to trend the total traffic on the interface using the ‘Throughput’ data. We then determine the top applications from the ‘Samples’ and subtract that from the total.
Well guess what, the Throughput data is 100% accurate as it is a measure of the total amount of bytes in/out of an interface per second/minute, etc. Scrutinizer then subtracts the Samples of ms-sql, http, etc. from the total (remember the sFlow sampling rate could be something like 1 in every 128 packets).
The above means that Scrutinizer should be removing all the ms-sql packets from the total to figure out the % of ms-sql traffic but, the sFlow switch didn’t send them all!!! It only sent a sample so the % we display doesn’t represent the % of the total. Instead it represents the % of the top 10 displayed. This will change in Scrutinizer v7 when we display the % as the amount of total traffic, not the top 10.
Finally, you can use sFlow for accurate throughput accounting but not for IP accounting. Cisco NetFlow is still best suited for this. You might want to read this blog post: NetFlow Vs. sFlow – It May Matter To You