Problem with netflow and ntop collector

Unanswered Question
Jul 22nd, 2008
User Badges:

Hi all,

I'm a new user and I'm tryng to setup a linux machine with some tool to monitor the network.

For the network usage, I choose ntop.

After configuring ntop and the router, I make some test and all seems to be work correctly, but I see that the traffic reported on ntop is not the real traffic passed trhough the router. For example: if I make a FTP download of about 30 MB, I see only few KB reported by netflow. It's normal? I try to change the version of netflow export (v1, v5, v9) but nothing change.

Moreover, thinking a problem on Ntop, I try to use other two netflow analyzer, but the result is the same.

Someone can help me? Do we modify some parameters on the router to change this behavior? Or is it normal?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jason Davis Tue, 07/22/2008 - 03:39
User Badges:
  • Cisco Employee,

Danilo, can you provide your netflow config on the source router?

When you say you ony see a few KB reported. Is that a few KB reported against the source/target and FTP combination or just a few KB received at the collector (traffic-wise)? I would expect the Netflow records to aggregate to 30MB, but the ntop server will not see 30MB of traffic at it. Netflow reduces the information to records noting source, destination, protocol, size, etc.

I'd stick with v5 record types for now. Once we know things are being metered and exported correctly you can migrate to the more advanced v9 records.

Also, what platform? IOS version?

Danilo Molini Tue, 07/22/2008 - 05:55
User Badges:

Hi Jadavis,

thanks for the answer.

The netflow configuration on the router is very basic:

interface FastEthernet0/1

ip route-cache flow


ip flow-export source FastEthernet0/1

ip flow-export version 5

ip flow-export destination 2056

The router is in a LAB enviroment for test ntop with netflow and it's a 2811 with SPSERVICESK9-M ios(Version 12.4(15)T5).

For the FTP traffic, if I understand correctly netflow should report to my collector some data about the network traffic like source, destination, protocol, port and also byte transferred. Ntop report me correctly all this data but for the byte transferred Ntop reports only few KB for a transfer of 30 MB.

How can I see on the router the amount of traffic recordered by netflow? Can I use the command "show ip cache flow" for this? So I can understand if is netflow that do not send all the data or is ntop that don't understand the data sent by the router.

Also, if it's a problem on ntop, it's strange that with another netflow analyzer I have the same result.


Jan Nejman Tue, 07/22/2008 - 08:02
User Badges:
  • Bronze, 100 points or more


did you enable netflow on all L3 interfaces? It is neccessary to run "ip route-cache flow" or "ip flow ingress" on all interfaces. If you run flow cache on on one interface you will see only data that are received on this interface, but you don't see outgoing traffic from this interface. Please, let me know if it helps...

Kind regards,

Jan Nejman

Caligare, Co.

Danilo Molini Wed, 07/23/2008 - 02:19
User Badges:

Hi Jan,

thanks a lot for the suggestion!!!!

Unfortunatly I don't know (yet) very well netflow, but now with the command ip route-cache flow on the two L3 interfaces seems to be work correctly.


Jason Davis Tue, 07/22/2008 - 09:23
User Badges:
  • Cisco Employee,
Danilo Molini Wed, 07/23/2008 - 07:42
User Badges:

Hi Jadavis,

think I solved my problem.

After put the command ip route-cache flow under all L3 interfaces, now I see all traffic.

I have some problem yet, but it's refer to ntop configuration. The FTP traffic is reported under another category because when I start a downloand form an FTP server, the connection from the FTP server to the router arrives on port >1024 and not on the port 20 or 21. Now I modify the configuration of ntop and seems to work correctly, logging all the traffic in the righ way.

Thanks for the help!



This Discussion