There are two drivers for NetFlow might not be immediately obvious.
The first is that NetFlow requires significantly less throughput than full packet capture. For example, see this discussion on how much bandwidth is needed to capture all the packets in a typical business. Let’s say 100 Gbps span port for typical SMB (100-1000 employee) company. NetFlow takes <5% of the bandwidth that full packet capture requires. So you could get by with five 1 Gbps span ports, which is a huge cost savings on the switching side.
The second driver is statistical analysis. Let’s assume you did not want the complexity of five 1 Gbps mirror ports (and the corresponding grunt work on the NSM to avoid duplicate entries.) If you only want 1 Gbps port, you have two options. The first option is to watch one-fifth of your servers. This poses a problem if your infected computer(s) are in the four-fifths of the LAN you are ignoring. The second option is to statistically select 1 in 5 packets from the stream. Your NSM will now have full coverage on the network, greatly improving your chance at identifying infections.
Posted by