As Nathan pointed out in his sFlow blog post, accuracy is a frustrating problem for many sFlow customers. Example: you know that the traffic on a specific link is made up of ~50% http and ~40% ms-sql. Why is Scrutinizer 6.x displaying that ms-sql is only 0.14% of the total traffic! AAAHHHHHHH.

Here is why: sFlow switches/routers send Scrutinizer two types of data:
1.    Throughput:  Total in / out traffic per interface
2.    Samples:  Packet samples

Now, what does Scrutinizer v6.X do with the two types of sFlow data? When Scrutinizer renders a protocol or application trend, the first thing it does is to trend the total traffic on the interface using the ‘Throughput’ data. We then determine the top applications from the ‘Samples’ and subtract that from the total.

Well guess what, the Throughput data is 100% accurate as it is a measure of the total amount of bytes in/out of an interface per second/minute, etc. Scrutinizer then subtracts the Samples of ms-sql, http, etc. from the total (remember the sFlow sampling rate could be something like 1 in every 128 packets).

The above means that Scrutinizer should be removing all the ms-sql packets from the total to figure out the % of ms-sql traffic but, the sFlow switch didn’t send them all!!!  It only sent a sample so the % we display doesn’t represent the % of the total. Instead it represents the % of the top 10 displayed. This will change in Scrutinizer v7 when we display the % as the amount of total traffic, not the top 10.

Finally, you can use sFlow for accurate throughput accounting but not for IP accounting.  Cisco NetFlow is still best suited for this. You might want to read this blog post: NetFlow Vs. sFlow – It May Matter To You

Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Leave a Reply