11-15-2007 06:52 AM - edited 03-05-2019 07:26 PM
Hi Everyone,
Our network is currently being bogged down and we're trying to get to the bottom of it. I enabled netflow on the router and see alot of information from the output. I do not have a server to dump the information to, so I am just trying to understand the output from the sh ip cache flow command. For example:
IP Flow Switching Cache, 278544 bytes
61 active, 4035 inactive, 156174 added
2905172 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25800 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 67 0.0 32 40 0.0 20.6 13.5
TCP-WWW 52273 0.0 45 1292 2.8 6.0 7.9
TCP-SMTP 646 0.0 81 46 0.0 6.0 1.7
TCP-X 106 0.0 1 40 0.0 0.3 13.1
TCP-NNTP 555 0.0 1 108 0.0 4.1 15.4
TCP-other 80317 0.0 8 416 0.8 2.9 10.4
UDP-DNS 125 0.0 1 116 0.0 0.4 15.5
UDP-NTP 69 0.0 1 76 0.0 0.0 15.5
UDP-TFTP 1 0.0 9 61 0.0 13.4 15.3
UDP-other 18532 0.0 13 529 0.2 7.6 15.4
ICMP 2647 0.0 2 61 0.0 1.1 15.4
IP-other 806 0.0 76 243 0.0 7.7 15.4
Total: 156144 0.1 21 1023 4.0 4.5 10.3
Does the Total Flows column show the current information, or is it over a time interval. It looks like most of my flows are in the TCP-other row. Is there a way to further tell what that information is.
Finally, I get information about the source Interface and destination interface. On the right side, it lists a number for Pckts. Does this show the machine currently using the most packets?
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Se0/0/1:0 38.116.36.22 Fa0/0 12.X.X.X 06 0050 0535 6040
My interface is NATed, so I use sh ip nat trans to match who's address is going to that 38.116.36.22 address. But I'm trying to understand if the sh ip cache flow shows what they were doing (www, ftp, tcp, etc...).
Thanks for your help!
Solved! Go to Solution.
11-15-2007 08:11 AM
Hello Tom,
I think that the "Total Flows" means current value - is is number of flows (i.e TELNET sessions) that are in flow cache. The flow expires after "active/inactive" timeout.
The best solution is a netflow collector/analyzer which prepare a human style statistic for you. You can see the list of applications on the URL: http://netflow.caligare.com/applications.htm
You can also enable/use "top talkers" statistics in IOS. You need enable it before using. The IOS will dynamically create a top X matrix viewable via CLI.
Kind regards
Jan Nejman
Caligare, Co.
11-15-2007 07:01 AM
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Se0/0/1:0 38.116.36.22 Fa0/0 12.X.X.X 06 0050 0535 6040
format means from se0/0 traffic passes to fa0/0 with port no mentioned -6040 packts
to search quickly
sh ip cache flow | inc (your match)
| means filter
used to filter your match from the cache
11-15-2007 08:11 AM
Hello Tom,
I think that the "Total Flows" means current value - is is number of flows (i.e TELNET sessions) that are in flow cache. The flow expires after "active/inactive" timeout.
The best solution is a netflow collector/analyzer which prepare a human style statistic for you. You can see the list of applications on the URL: http://netflow.caligare.com/applications.htm
You can also enable/use "top talkers" statistics in IOS. You need enable it before using. The IOS will dynamically create a top X matrix viewable via CLI.
Kind regards
Jan Nejman
Caligare, Co.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: