Useful commands to see what traffic is going through router.

Unanswered Question
Oct 6th, 2007

We have a VPN from a cisco 877 to a Concentrator. I notice every day the CPU and bandwidth on the 877 is high at 8am-10am, can I see what PC or type of traffic is doing this on the 877?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

I like this one, you can use this permenantly for free if you only monitor up to (2) interfaces. Otherwise, you can get a 30 day trial.

http://manageengine.adventnet.com/products/netflow/index.html

You can configure Netflow on the appropriate interface by doing the following:

!

config t

interface fa4

ip route-cache flow

exit

ip flow-export version 5

ip flow-export destination 192.168.1.1 9996

!

Replace the interface and destination IP to match your needs.

whiteford Mon, 10/08/2007 - 06:32

Hi, which one is it I need to download?

Is the Cisco one not free?

whiteford Mon, 10/08/2007 - 07:02

Right all installed, I'm using a Cisco 837 as a VPN, woudl I monitor the ATM0, Dialer 1 or Ethernet 0 which is the router IP?

whiteford Mon, 10/08/2007 - 07:12

Hi, I have installed in on a server with an IP of 192.168.100.1 and added your config to the Ethernet 0, but not data is going to the Netflow webserver, how can I check it can conncet this server or it is working?

whiteford Mon, 10/08/2007 - 07:21

Here it is:

IP packet size distribution (26605 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .770 .025 .106 .026 .028 .019 .002 .001 .001 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .001 .014 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes

8 active, 4088 inactive, 268 added

9944 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 21640 bytes

8 active, 1016 inactive, 258 added, 258 added to flow

0 alloc failures, 0 force free

1 chunk, 1 chunk added

last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-WWW 3 0.0 5 99 0.0 0.2 1.6

TCP-SMTP 19 0.0 1 60 0.0 0.8 15.4

TCP-other 163 0.0 115 100 1.3 8.9 6.6

UDP-DNS 25 0.0 1 75 0.0 1.8 15.4

UDP-NTP 8 0.0 1 96 0.0 0.0 15.6

UDP-other 16 0.0 1 220 0.0 0.1 15.4

ICMP 26 0.0 2 306 0.0 1.6 15.4

Total: 260 0.0 72 100 1.3 6.0 9.8

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Et0 172.19.10.17 Di1 192.168.101.1 06 05B5 0401 2

Et0 172.19.10.11 Di1 192.168.101.8 06 0446 0A26 1788

Et0 172.19.10.17 Di1 192.168.101.7 06 0491 0A26 1251

Et0 172.19.10.20 Di1 192.168.101.8 06 04B6 0A26 2041

Et0 172.19.10.22 Di1 192.168.101.7 06 0610 0A26 523

Et0 172.19.10.18 Di1 192.168.101.3 06 0853 0475 8

Et0 172.19.10.18 Di1 192.168.101.7 06 06F1 0A26 295

Et0 172.19.10.21 Di1 192.168.101.8 06 070B 0A26 1784

f3rryun1t2#

whiteford Mon, 10/08/2007 - 08:34

Hi, I'm not near my pc but will be in an hour so will post the results, however, I tried that earlier and remember lots of zeros in the table as of there is no data, any reason for this?

whiteford Mon, 10/08/2007 - 09:41

Hi, here it is, is the source IP ok?:

User Access Verification

Router#show ip flow export

Flow export v5 is enabled for main cache

Exporting flows to 192.168.100.1 (9996)

Exporting using source IP address 86.84.80.x

Version 5 flow records

1371 flows exported in 399 udp datagrams

0 flows failed due to lack of export packet

0 export packets were sent up to process level

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures

Router#

whiteford Mon, 10/08/2007 - 14:12

I couldnt see an option to do that, ill have a look tomorrow as I dont have the website in front of me.

whiteford Mon, 10/08/2007 - 23:52

Bingo, I just added the router (which was already there in Device Group Management) and I see stats, however I have a few questions.

The NBAR MIB support says unknown, and for some reason I have 2 interfaces, Ifindex16 (Out traffic) and Ifindex5 (In traffic).

How do I see a table of who is doing what? like the command "show ip cache flow"?

paitken Tue, 11/27/2007 - 07:10

Andy,

You see two interfaces because traffic is flowing from the Ethernet interface to the Dialer interface.

You see this in the "sh ip cache flow" output:

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Et0 172.19.10.17 Di1 192.168.101.1 06 05B5 0401 2

- ie, traffic is flowing from 172.19.10.17 on Eth0 to 192.168.101.1 on Dialer1.

The "sh ip cache flow" output also answers your "who is doing what" question, since it shows the protocol and src/dst ports.

eg, looking at the output you posted before, it's all Protocol 6 (TCP) and much of it is to port 0A26 (ie, 2598 decimal) - so it's probably citrix traffic with session reliability enabled.

Going back to your original issue: to discover what's causing high bandwith, configure netflow and use the "sh ip flow top ..." command to see what's going on.

Actions

This Discussion