Executive Summary
Modern networks require both depth and speed in visibility. Traditional IPFIX (NetFlow v10) delivers rich flow context but with inherent latency. Sampled Port Mirroring (SPM) provides near real-time packet samples with payload visibility. IPFIX IE 315 bridges the two by exporting sampled packet data inside standard IPFIX records.
These technologies are not competitors — they are powerful complements, especially in high-speed DDoS protection scenarios.
What is IPFIX?
IPFIX (IP Flow Information Export) is the standardized evolution of NetFlow. It collects metadata about network flows — conversations defined by the 5-tuple (source/destination IP, ports, protocol).
- Router aggregates packets into flows and caches them
- Exports records after flow timeout or cache expiry (typically 30–60 seconds delay)
- Excellent for traffic analysis, billing, capacity planning, and long-term behavior baselining
- Only metadata — no packet payload
What is SPM (Sampled Port Mirroring)?
SPM is a high-speed sampling and mirroring technique that captures individual packets (or portions of them) and forwards them immediately for analysis.
- Near real-time (milliseconds) — no flow cache delay
- Exports the beginning of the packet: headers + configurable payload (e.g., first 128/256/512 bytes)
- Stateless and extremely fast
- Ideal for rapid threat detection, especially volumetric DDoS attacks
IPFIX Information Element 315 (IE 315)
IE 315 is a specific IPFIX Information Element that allows sampled packet sections to be exported inside standard IPFIX records.
It effectively turns SPM into an IPFIX-compatible format, giving you the best of both worlds: structured IPFIX export with actual packet payload data for deeper inspection (TLS ClientHello for JA3/JA4 fingerprinting, HTTP headers, DNS queries, etc.).
Comparison Table
| Feature | Traditional IPFIX / NetFlow | SPM (Sampled Port Mirroring) | IPFIX + IE 315 |
|---|---|---|---|
| Mechanism | Flow aggregation + cache | Per-packet sampling + immediate mirror | Sampled packets inside IPFIX records |
| Latency | High (30–60+ seconds) | Very Low (milliseconds) | Very Low |
| Data Exported | Flow metadata only | Packet headers + payload | Packet headers + payload in IPFIX format |
| Use Case Strength | Context, trending, forensics | Real-time attack detection | Real-time + structured export |
| Payload Visibility | None | Configurable (first N bytes) | Configurable (first N bytes) |
| JA3 / JA4 Fingerprinting | Limited | Excellent | Excellent |
Why They Work Best Together
In advanced DDoS mitigation platforms (such as Nokia Deepfield), both technologies run in parallel:
- IPFIX provides the broad, long-term visibility and flow context needed for baseline establishment and forensic analysis.
- SPM / IE 315 delivers the immediate packet samples required to detect and mitigate attacks in seconds rather than minutes.
This combination gives security teams the speed to react plus the depth to understand what they’re reacting to.
Practical Takeaways for Network Operators
- Deploy SPM on high-risk, high-volume links where milliseconds matter.
- Use IPFIX everywhere for comprehensive visibility.
- Consider IE 315 when you want sampled packet data in a standardized, easily ingestible format.
- Together they form a robust, layered telemetry strategy that significantly improves DDoS defense posture.