Hi Jay,

We use both NetFlow and Bro.

Each has its pros and cons of course, but from my point of view NetFlow is a "truer" picture of flow activity because it's a 100% layer3 export - things like malformed TCP streams sometimes won't get logged by apps that take a layer4-or-higher view of the world. It's also unidirectional - apps that that mung the A->B traffic together with the B->A traffic occasionally suffer from ambiguity of client/server identity, which makes report writing hard. Finally, NetFlow can be configured to prematurely export long-lived flows meaning that you can see how many bytes were transferred at different points in the flow, rather than just knowing that X bytes were transferred in total.

In my experience, having a two or more tools doing the "same" job in different ways isn't the galactic waste it may appear to be :)

