How to intepret Netflow data -- ip cache flow

Answered Question
Nov 15th, 2007
User Badges:

Hi Everyone,

Our network is currently being bogged down and we're trying to get to the bottom of it. I enabled netflow on the router and see alot of information from the output. I do not have a server to dump the information to, so I am just trying to understand the output from the sh ip cache flow command. For example:


IP Flow Switching Cache, 278544 bytes

61 active, 4035 inactive, 156174 added

2905172 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 25800 bytes

0 active, 1024 inactive, 0 added, 0 added to flow

0 alloc failures, 0 force free

1 chunk, 1 chunk added

last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-Telnet 67 0.0 32 40 0.0 20.6 13.5

TCP-WWW 52273 0.0 45 1292 2.8 6.0 7.9

TCP-SMTP 646 0.0 81 46 0.0 6.0 1.7

TCP-X 106 0.0 1 40 0.0 0.3 13.1

TCP-NNTP 555 0.0 1 108 0.0 4.1 15.4

TCP-other 80317 0.0 8 416 0.8 2.9 10.4

UDP-DNS 125 0.0 1 116 0.0 0.4 15.5

UDP-NTP 69 0.0 1 76 0.0 0.0 15.5

UDP-TFTP 1 0.0 9 61 0.0 13.4 15.3

UDP-other 18532 0.0 13 529 0.2 7.6 15.4

ICMP 2647 0.0 2 61 0.0 1.1 15.4

IP-other 806 0.0 76 243 0.0 7.7 15.4

Total: 156144 0.1 21 1023 4.0 4.5 10.3



Does the Total Flows column show the current information, or is it over a time interval. It looks like most of my flows are in the TCP-other row. Is there a way to further tell what that information is.


Finally, I get information about the source Interface and destination interface. On the right side, it lists a number for Pckts. Does this show the machine currently using the most packets?

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts


Se0/0/1:0 38.116.36.22 Fa0/0 12.X.X.X 06 0050 0535 6040



My interface is NATed, so I use sh ip nat trans to match who's address is going to that 38.116.36.22 address. But I'm trying to understand if the sh ip cache flow shows what they were doing (www, ftp, tcp, etc...).


Thanks for your help!

Correct Answer by Jan Nejman about 9 years 5 months ago

Hello Tom,


I think that the "Total Flows" means current value - is is number of flows (i.e TELNET sessions) that are in flow cache. The flow expires after "active/inactive" timeout.


The best solution is a netflow collector/analyzer which prepare a human style statistic for you. You can see the list of applications on the URL: http://netflow.caligare.com/applications.htm



You can also enable/use "top talkers" statistics in IOS. You need enable it before using. The IOS will dynamically create a top X matrix viewable via CLI.


Kind regards


Jan Nejman

Caligare, Co.

http://www.caligare.com/

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
shiva_ial Thu, 11/15/2007 - 07:01
User Badges:



SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts


Se0/0/1:0 38.116.36.22 Fa0/0 12.X.X.X 06 0050 0535 6040

format means from se0/0 traffic passes to fa0/0 with port no mentioned -6040 packts


to search quickly


sh ip cache flow | inc (your match)



| means filter

used to filter your match from the cache


Correct Answer
Jan Nejman Thu, 11/15/2007 - 08:11
User Badges:
  • Bronze, 100 points or more

Hello Tom,


I think that the "Total Flows" means current value - is is number of flows (i.e TELNET sessions) that are in flow cache. The flow expires after "active/inactive" timeout.


The best solution is a netflow collector/analyzer which prepare a human style statistic for you. You can see the list of applications on the URL: http://netflow.caligare.com/applications.htm



You can also enable/use "top talkers" statistics in IOS. You need enable it before using. The IOS will dynamically create a top X matrix viewable via CLI.


Kind regards


Jan Nejman

Caligare, Co.

http://www.caligare.com/

Actions

This Discussion