Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Difference between packet sampling and flow sampling

 

Information

 

Summary:

Use cases, advantages, and disadvantages of packet sampling and flow sampling.

Environment:

Product: Flowmon OS

Version: Any

Platform: Any

Question/Problem Description:

What are the differences between packet sampling and flow sampling?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:  
Resolution:
  • Packet sampling
    • Packet sampling is generally used to lower the load of the flow source. Eg. the router is not powerful enough to process all packets for flow generation so packets are sampled before the flows are created.
    • Graphs for packets per second and bytes per second are quite accurate because the amount of packets/bytes is multiplied by the sampling ratio.
    • It is quite accurate for longer sessions (eg. file transfers) where many packets are transferred but short sessions like DNS request/reply (only two packets) might be completely missed.
    • Much L7 information might be missing because they might require eg. complete TCP/TLS handshake visibility which is not assured when packets are sampled.
    • The number of flows is not lowered in the same ratio as the packet sampling is configured. Packet sampling 1:10 can produce more than 1/10 flows compared to non-sampled traffic (based on the monitored traffic).
    • There is a lower chance that a complete traffic session is missed but there is lower accuracy for timestamps, packets, and bytes (compared to flow sampling).
  • Flow sampling
    • Flow sampling is used to lower the load of the collector or raise the retention. The collector is not able to receive so many flows per second.
    • Graphs for packets per second and bytes per second are always lower than real traffic because part of the monitored traffic represented by flow data is missing.
    • Session length does not matter, flow representing short/long sessions might be dropped with the same probability.
    • L7 information should be present.
    • The number of flows is lowered in the same ratio as configured flow sampling. Flow sampling 1:10 means that the collector receives 1/10 of data so the retention should be approximately 10 times longer.
    • Timestamps, packets, and bytes in the single flow are accurate but more sessions could be missed (compared to packet sampling).
Workaround:  
Notes:  

Was this article helpful?
0 out of 0 found this helpful

Comments