Now that you have one instance of flow-capture running, it's time to decide how to handle incoming data. You can choose to have all your sensors feed data to a single collector or have each sensor feed data to its own collector instance.

Having all sensors feed records to one collector is simple. Configure one and only one collector, and do not restrict the addresses that can send to it. Configure all your sensors to use that single collector. The collector will intermingle all the flow records from all sensors into one common log file. But how do you tell whether flows are from one part of the network or another? You can differentiate flows by the sensor IP address, but this adds steps to the analysis.

In the absence of compelling ...