I'm trying to understand what netflow statistics are being show when using sh ip flow top and the sh ip flow top (#) aggregate commands. What I'm looking for is a real-time picture of statistics, not a n accumulation of stats. We have periods of congestion and an alert system setup to notify me when that congestion takes place. I'd like to connect to the router where the congestion is occurring and get a snapshot of the top ten talkers at that moment. However I'm unsure if that is a real time picture or an accumulation of statistics since either the last clear counters or clear ip flow stats command was issued. Can anyone offer some clarity on how netflow's stats are presented?
The "show ip flow top" scans the netflow cache in real time and shows you a snapshot of what's happening in your router at this exact moment.
Aggregation is of the traffic that's in the netflow cache right now; and isn't related in any way to the last clear command.
So when you see congestion, you can be 100% confident that the "sh ip flow top ... " output shows you exactly what the cause is.