
I've seen conflicting information from various dates and I'm having trouble determining if ntop supports sflow the same way it supports netflow or if it is somehow handicapped and not really worth giving the effort.

We're just getting started at this point trying to get a handle on traffic so no specific expectations, except everything. :-)

  • 2,533
  • 3
  • 24
  • 27

2 Answers2


ntop is really just the flow collector. It has sflow support so it knows what sort of flow based information it is receiving and can format it appropriately.

You can see their support info here: http://www.ntop.org/solutions/flow-based-monitoring/

The real difference will be between sflow and netflow and how these technologies report the data to ntop or any other collector.

You can see here: http://www.plixer.com/blog/netflow/netflow-vs-sflow-for-network-monitoring-and-security-the-final-say/ for some information and links about the 2 different analysis technologies.

  • 32,352
  • 26
  • 126
  • 188

For what it's worth, my recommendation would be to use netflow.

ntop supports both fully, but the sflow protocol itself is handicapped (by its design), and netflow is the more common protocol because of that (and as a result has lots of what I would consider better tools).

For more detail you can read this article that TheCleaner pointed you to but the short version is:

  • sflow is a packet-based sampling protocol, and is thus prone to sampling error
  • netflow works with more vendors' hardware
  • netflow has a wider suite of available tools (because it works with more vendors' hardware)

The second and third points would be the most important in my mind -- Netflow being a well-defined and supported standard gives you more options than ntop when you want to start really diving into your data.

  • 79,345
  • 17
  • 128
  • 213