×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Netflow Analysis Reveals Skype

Unanswered Question
Oct 27th, 2013
User Badges:

Hello Community,


I have configured flexible Netflow on our routers. An analysis of the cache reveals that my pc is communicating with the router via skype, however I'm not running skype on my desktop.



IPV4 SRC ADDR    IPV4 DST ADDR    TRNS SRC PORT  TRNS DST PORT  INTF INPUT            IP PROT       flows       bytes    time first  app name


10.44.108.168          172.17.140.77         51956            161  Tu0                                                               17           1         544  20:07             cisco skype



Can someone please tell me why I'm seeing skype being communicated between my desktop 10.44.108.168 to the router on 172.17.140.77?


Cheers


Carlton

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Marvin Rhoads Sun, 10/27/2013 - 15:37
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

I don't know why it would claim port 161 traffic is "cisco skype". UDP port 161 is used by SNMP. (Reference)


If you wannt to know what application or service on your PC is communicating using which port, check out the free Microsoft utility tcpview. It can be downloaded here.

Carlton Patterson Sun, 10/27/2013 - 18:27
User Badges:

Hi Marvin,


It's very strange indeed.


I'm going to download the Microsoft utility.


Cheers

jakewilson Mon, 10/28/2013 - 01:23
User Badges:

I've seen similar behaviors with the first release of NBAR in NetFlow.  NBAR2 in the latest IOS does a better job of identifying applications.  Perhaps you can try it.

Carlton Patterson Mon, 10/28/2013 - 02:42
User Badges:

Hi Jake,


Thanks for responding.


Can you let me know how I would go about enabling NBAR2?


Cheers


Carlton

Marvin Rhoads Mon, 10/28/2013 - 07:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

NBAR2 uses protocol packs to update application support. They are available under the "Software on Chassis" section of the downloads page for your platform (assuming it's an ISR G2 or ASR with the necessary license - those are the platforms with NBAR2 support).


See this example for the 2921: link.


For lots of info on AVC, NBAR2, FNF, licensing requirements, how to load and use protocol packs, etc. please see the Cisco Docwiki page on AVC.

Carlton Patterson Mon, 10/28/2013 - 07:34
User Badges:

Thanks Marvin,


One quick other question.


Can you tell me if its possible to configure Netflow Exporter with more than one destination?


Flow Exporter NETFLOW-TO-ORION:

  Description:              User defined

  Export protocol:          NetFlow Version 9

  Transport Configuration:

    Destination IP address: 150.50.5.2

    Source IP address:      150.50.5.1

    Source Interface:       Ethernet1/3

    Transport Protocol:     UDP

    Destination Port:       9995

    Source Port:            53405

    DSCP:                   0x0

    TTL:                    255

    Output Features:        Not Used



I would like to add another destination to the above Flow Exporter


Cheers


Carlton

Marvin Rhoads Mon, 10/28/2013 - 08:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You're welcome.


A given exporter only goes to a single destination. You can create multiple exporters for a given monitor. (up to 10 with FNF, 2 with original Netflow)


See the configuration guide here.


Please rate helpful posts and marked your question as answered once it has been.


Best Regards,


- Marvin

Carlton Patterson Mon, 10/28/2013 - 09:32
User Badges:

Marvin,


Thanks again mate. You've been great.


I wonder if I could trouble again regarding Flow Exporters values?


Can you recommend timeout values. For example I think Cisco suggests the following:


ip flow-cache timeout active 1

Breaks up long-lived flows into 1-minute fragments. You can choose any number of minutes between 1 and 60. If you leave it at the default of 30 minutes your traffic reports will have spikes.

It is important to set this value to 1 minute in order to generate alerts and viewtroubleshooting data.

ip flow-cache timeout inactive 15Ensures that flows that have finished are periodically exported. The default value is 15 seconds. You can choose any number of seconds between 10 and 600. However, if you choose a value greater than 250 seconds, NetFlow Analyzer may report traffic levels that are too low.



Would you go along with this?


Cheers


Carlton

Marvin Rhoads Mon, 10/28/2013 - 10:15
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Absent any specific recommendations to the contrary from your Netflow management tool vendor, the Cisco recommendations are generally fine.


If you're using SolarWinds NTA, they have some suggestions on their technical references here:


http://www.solarwinds.com/documentation/Netflow/nta.aspx

jakewilson Mon, 10/28/2013 - 13:35
User Badges:

I was told that NBAR2 is the result of upgrading to IOS XE 3.7 on the ASR1000 or to IOS 15.2(4)M on your ISR routers. 


To configure multiple exporters, use Flexible NetFlow.  It allows you to setup multiple (possibly unlimited) Flow Exporters and assign them to a Flow Monitor.  Make sure you add all the exporters in step two of the Flexible NetFlow configuration process. Reach out to the team at plixer.com if you need help.

Actions

This Discussion