Basic TCP/IP Analysis (by Hansang Bae)
Wireshark in the Large Enterprise (by Hansang Bae)

Comparing SNMP to NetFlow (by Michael Patterson)

Michael_pattersonLogo_plixerAuthor Profile - Michael Patterson is currently the Product Manager of Scrutinizer NetFlow and sFlow Analyzer at Plixer International. Prior to Plixer Michael worked for Cabletron Systems as the Director for outsourced network management.

Plixer International develops and markets network traffic monitoring and analysis tools to the global market. All of the tools are built from the ground up with valuable feature sets and ease of use in mind. Plixer tools have been used to analyze and troubleshoot irregular traffic patterns by IT professionals with some of the largest networks in the world, such as CNN, The Coca-Cola Company, Abercrombie & Fitch, Lockheed Martin, IBM, Regal Cinemas, Raytheon, and Eddie Bauer.


As unbelievable as it may sound, there are still companies in this world that are not aware of NetFlow analysis. Many IT admins are still using SNMP trends to determine if the connection is full and then running to setup a packet analyzer like Wireshark to find out who is causing all the traffic. For me, it’s hard to believe.

I think the reason why so many people don’t know about NetFlow is because network traffic management is only part of their job. Often times, the employees at medium sized businesses wear multiple hats and until they bump into the technology via a peer, a meeting, a forum, a publication or other, they really don’t have a compelling need. Once they find out how easy and readily available it is, I think that is when they generally start the investigation.

I will explain the big difference between NetFlow and SNMP.

A few months ago I wrote a blog post on SNMP Vs. NetFlow. I think the topic is still very relevant today. A couple big differences between network trends with NetFlow Vs SNMP are:

  • SNMP can be used for real-time (i.e. every second) and although NetFlow provides beginning and end times for each flow, it isn’t nearly as real-time as SNMP. In fact, due to the active timeout issue, NetFlow really can’t provide granularity finer than 1 minute else, it sort of defeats the idea of NetFlow’s awesome aggregation. I think we are all learning about how important the active timeout is with the Cisco ASA.
  • NetFlow tells you who and with what is consuming the bandwidth, it is also much more verbose than SNMP and therefore NetFlow exports consume much more disk space for historical information
  • SNMP can be used to collect CPU and memory utilization and that just isn’t available yet using NetFlow. Notice I used the word ‘yet’. The future of NetFlow is very optimistic.

Some believe you still need SNMP to get things like interface names from the router. This isn’t true. See Paul’s blog post on Using NetFlow Option Templates to export interface names. Flexible NetFlow and IPFIX are taking the technology to a whole new level. For example, the new nProbe is exporting latency and URL information via IPFIX (aka NetFlow standard). Hopefully the folks behind sFlow are also thinking about the future.

In summary, SNMP will be around for years to come just as black and white televisions were. Some great ideas take time to catch on.