Routers or other network devices performing flow measurement have three types of
resources that can become bottlenecks: processing power, flow memory, and
reporting bandwidth. Flow slices use three different ``tuning knobs'' to control
these three resources: the packet sampling probability 
controls the
processing load, the flow slicing probability 
controls the memory usage and
the thresholds determining the smart sampling probability 
control the volume
of data reported. This can result in more accurate traffic analysis results than
using a single parameter, the packet sampling probability, to control all three
resources, as Adaptive NetFlow does. This distinction would be irrelevant in
practice if the only scarce resource would be the processing power at the
router, so it is useful to perform a quick sanity check before proceeding any
further: can an unfavorable traffic mix push the memory requirements or
reporting bandwidth so high that they become a problem? First, let us assume a
traffic mix consisting of back-to-back minimum sized packets, each belonging to
a different flow (a massive flooding attack with randomly spoofed source
addresses). With the packet sampling rates from , the
traffic measurement module would receive a packet every 
. Even with an
aggressive inactivity timeout of
seconds, we need a flow
memory that can fit 
flow records, which at 
bytes/record[17] requires 
megabytes. When reported flow records
take 
bytes (ignoring overheads), so at 
flow records/second, which
requires 
megabits/second. These numbers are orders of magnitude above what
one can comfortably afford. The experiments from use
realistic traffic mixes to evaluate the benefits of Flow Slices as compared to
Sampled NetFlow and Adaptive NetFlow.
For each of the parameters of Flow Slices listed in , we
need to decide whether to set them statically as part of the router
configuration, or dynamically adapt them to the current traffic mix. Of the
three main tuning knobs, the flow slicing probability should definitely be
set dynamically to allow the router to protect from memory overflow when faced
with unfavorable traffic mixes. The thresholds controlling the smart sampling
probability can also be set adaptively. In this paper, we consider that the
packet sampling probability is static based on recommended values for
different link capacities. Flow Slices would work just as well with a dynamic
packet sampling probability that could go above the conservative static value,
but since it is hard to guarantee the stability of such an approach without pushing
the packet sampling rate adaptation logic into hardware (which raises deployment
problems), we chose not to explore such a solution here.
The observant reader might have noticed that without the optional binned
measurement feature Flow Slices resembles Sampled NetFlow. If the dynamic
adaptation algorithms set the flow slicing probability and the smart
sampling probability to 
the two solutions perform exactly the same
processing. We consider this to be an important feature. The difference between
Sampled NetFlow and Flow Slices is in how they react to unfriendly traffic mixes
and environments with strong constraints on resources. While both Adaptive
NetFlow and Flow Slices provide robustness to unfavorable traffic mixes,
Adaptive NetFlow forces the user to adopt the binned measurement model (which
can increase memory usage and the volume of reports) even when the traffic mix
is favorable.