Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1615
Views
4
Helpful
10
Replies

Netflow Analysis Reveals Skype

Carlton Patterson
Level 1
Level 1

‎10-27-2013 01:12 PM

Hello Community,

I have configured flexible Netflow on our routers. An analysis of the cache reveals that my pc is communicating with the router via skype, however I'm not running skype on my desktop.

IPV4 SRC ADDR    IPV4 DST ADDR    TRNS SRC PORT  TRNS DST PORT  INTF INPUT            IP PROT       flows       bytes    time first  app name

10.44.108.168          172.17.140.77         51956            161  Tu0                                                               17           1         544  20:07             cisco skype

Can someone please tell me why I'm seeing skype being communicated between my desktop 10.44.108.168 to the router on 172.17.140.77?

Cheers

Carlton

Labels:
0 Helpful
10 Replies 10

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-27-2013 03:37 PM

I don't know why it would claim port 161 traffic is "cisco skype". UDP port 161 is used by SNMP. (Reference)

If you wannt to know what application or service on your PC is communicating using which port, check out the free Microsoft utility tcpview. It can be downloaded here.

0 Helpful

Carlton Patterson
Level 1
Level 1
In response to Marvin Rhoads

‎10-27-2013 06:27 PM

Hi Marvin,

It's very strange indeed.

I'm going to download the Microsoft utility.

Cheers

0 Helpful

jakewilson
Level 1
Level 1
In response to Carlton Patterson

‎10-28-2013 01:23 AM

I've seen similar behaviors with the first release of NBAR in NetFlow.  NBAR2 in the latest IOS does a better job of identifying applications.  Perhaps you can try it.

0 Helpful

Carlton Patterson
Level 1
Level 1
In response to jakewilson

‎10-28-2013 02:42 AM

Hi Jake,

Thanks for responding.

Can you let me know how I would go about enabling NBAR2?

Cheers

Carlton

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Carlton Patterson

‎10-28-2013 07:28 AM

NBAR2 uses protocol packs to update application support. They are available under the "Software on Chassis" section of the downloads page for your platform (assuming it's an ISR G2 or ASR with the necessary license - those are the platforms with NBAR2 support).

See this example for the 2921: link.

For lots of info on AVC, NBAR2, FNF, licensing requirements, how to load and use protocol packs, etc. please see the Cisco Docwiki page on AVC.

0 Helpful

Carlton Patterson
Level 1
Level 1
In response to Marvin Rhoads

‎10-28-2013 07:34 AM

Thanks Marvin,

One quick other question.

Can you tell me if its possible to configure Netflow Exporter with more than one destination?

Flow Exporter NETFLOW-TO-ORION:

  Description:              User defined

  Export protocol:          NetFlow Version 9

  Transport Configuration:

    Destination IP address: 150.50.5.2

    Source IP address:      150.50.5.1

    Source Interface:       Ethernet1/3

    Transport Protocol:     UDP

    Destination Port:       9995

    Source Port:            53405

    DSCP:                   0x0

    TTL:                    255

    Output Features:        Not Used

I would like to add another destination to the above Flow Exporter

Cheers

Carlton

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Carlton Patterson

‎10-28-2013 08:23 AM

You're welcome.

A given exporter only goes to a single destination. You can create multiple exporters for a given monitor. (up to 10 with FNF, 2 with original Netflow)

See the configuration guide here.

Please rate helpful posts and marked your question as answered once it has been.

Best Regards,

- Marvin

0 Helpful

Carlton Patterson
Level 1
Level 1
In response to Marvin Rhoads

‎10-28-2013 09:32 AM

Marvin,

Thanks again mate. You've been great.

I wonder if I could trouble again regarding Flow Exporters values?

Can you recommend timeout values. For example I think Cisco suggests the following:

ip flow-cache timeout active 1

Breaks up long-lived flows into 1-minute fragments. You can choose any number of minutes between 1 and 60. If you leave it at the default of 30 minutes your traffic reports will have spikes.

It is important to set this value to 1 minute in order to generate alerts and viewtroubleshooting data.

ip flow-cache timeout inactive 15Ensures that flows that have finished are periodically exported. The default value is 15 seconds. You can choose any number of seconds between 10 and 600. However, if you choose a value greater than 250 seconds, NetFlow Analyzer may report traffic levels that are too low.

Would you go along with this?

Cheers

Carlton

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Carlton Patterson

‎10-28-2013 10:15 AM

Absent any specific recommendations to the contrary from your Netflow management tool vendor, the Cisco recommendations are generally fine.

If you're using SolarWinds NTA, they have some suggestions on their technical references here:

http://www.solarwinds.com/documentation/Netflow/nta.aspx

jakewilson
Level 1
Level 1
In response to Carlton Patterson

‎10-28-2013 01:35 PM

I was told that NBAR2 is the result of upgrading to IOS XE 3.7 on the ASR1000 or to IOS 15.2(4)M on your ISR routers. 

To configure multiple exporters, use Flexible NetFlow.  It allows you to setup multiple (possibly unlimited) Flow Exporters and assign them to a Flow Monitor.  Make sure you add all the exporters in step two of the Flexible NetFlow configuration process. Reach out to the team at plixer.com if you need help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents