Hi Everyone,
Our network is currently being bogged down and we're trying to get to the bottom of it. I enabled netflow on the router and see alot of information from the output. I do not have a server to dump the information to, so I am just trying to understand the output from the sh ip cache flow command. For example:
IP Flow Switching Cache, 278544 bytes
61 active, 4035 inactive, 156174 added
2905172 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25800 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 67 0.0 32 40 0.0 20.6 13.5
TCP-WWW 52273 0.0 45 1292 2.8 6.0 7.9
TCP-SMTP 646 0.0 81 46 0.0 6.0 1.7
TCP-X 106 0.0 1 40 0.0 0.3 13.1
TCP-NNTP 555 0.0 1 108 0.0 4.1 15.4
TCP-other 80317 0.0 8 416 0.8 2.9 10.4
UDP-DNS 125 0.0 1 116 0.0 0.4 15.5
UDP-NTP 69 0.0 1 76 0.0 0.0 15.5
UDP-TFTP 1 0.0 9 61 0.0 13.4 15.3
UDP-other 18532 0.0 13 529 0.2 7.6 15.4
ICMP 2647 0.0 2 61 0.0 1.1 15.4
IP-other 806 0.0 76 243 0.0 7.7 15.4
Total: 156144 0.1 21 1023 4.0 4.5 10.3
Does the Total Flows column show the current information, or is it over a time interval. It looks like most of my flows are in the TCP-other row. Is there a way to further tell what that information is.
Finally, I get information about the source Interface and destination interface. On the right side, it lists a number for Pckts. Does this show the machine currently using the most packets?
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Se0/0/1:0 38.116.36.22 Fa0/0 12.X.X.X 06 0050 0535 6040
My interface is NATed, so I use sh ip nat trans to match who's address is going to that 38.116.36.22 address. But I'm trying to understand if the sh ip cache flow shows what they were doing (www, ftp, tcp, etc...).
Thanks for your help!
