Solved: Help Interpreting Netflow Output

Carlton Patterson · ‎09-11-2013

Hello Community,

I have been evaluating a script that allows you to see top talkers in realtime.

For an explanation of the script please see attached.

I'm having a problem interpreting the output. For example, the following appears five times with different AvgBits/s

SRCIP DSTIP APPLICATION PROT DIRN Start AvgBit/s AvgPkt/s

===================================================================================

194.75.202.233 80.229.108.65 0/0 ESP IN 07:28 111K 40

Would the correct interpretation be, 'at 07:28am, the AvgBits/s was 111K?

If so I ran the script again and a few hours later and I got the following:

SRCIP DSTIP APPLICATION PROT DIRN Start AvgBit/s AvgPkt/s

===================================================================================

194.75.202.233 80.229.108.65 0/0 ESP IN 07:28 2.69M 296

You will notice that the time is the same, however the AvgBits/s is now 2.69M. I don't understand how the time remains the same, even though I ran the script match later and the Mb is 2.69M??

I have also attached a sample showing the following addresses:

10.50.96.30 10.45.156.82 445-microsoft.

In the above sample, can someone explain why AvgBit/s was 1.95M, and later it was 239K?

Cheers

Carlton

Joe Clarke · ‎09-11-2013

This is a flow. The flow can last a long time, as it appears to be doing in this case. Given that this is VPN traffic, that makes sense. When you first ran the script, the average was 111Kbps, but later in the day (likely after the user had cranked much more traffic through the VPN) the average was 2.69M.

Averages grow and shrink depending on time and the amount of traffic. If an average goes down, it means for the life of that flow, the traffic rate decreased. In the beginning it may have been high, but over time, less traffic was sent.

View solution in original post

Joe Clarke · ‎09-11-2013

This is a flow. The flow can last a long time, as it appears to be doing in this case. Given that this is VPN traffic, that makes sense. When you first ran the script, the average was 111Kbps, but later in the day (likely after the user had cranked much more traffic through the VPN) the average was 2.69M.

Averages grow and shrink depending on time and the amount of traffic. If an average goes down, it means for the life of that flow, the traffic rate decreased. In the beginning it may have been high, but over time, less traffic was sent.

Carlton Patterson · ‎09-12-2013

Joseph thanks again for responding.

I have just one more question (I think :-) related to this issue.

I ran the script again at 13:17. From the output shown in the attached would it correct to say that all the flows shown, apart from:

194.75.202.233 80.229.108.65 0/0 ESP IN 09:03

80.229.108.65 194.75.202.233 0/0 ESP OUT 09:03

started at 13:17, and there weren't any flows that have been running before 13:17?

Cheers

Carlton

Carlton Patterson · ‎09-11-2013

Thanks responding,

Can you tell me why the time, 07:28am is the same for 111K as it is for 2.69M? Even when I ran the script when I got 2.69M it was 13:00 If I run the script at, say 13:00 shouldn't the script show that time?

Cheers

Sent from Cisco Technical Support iPhone App

Joe Clarke · ‎09-11-2013

The start time shown is the start of the flow, not the script. This was a long-running flow.

Carlton Patterson · ‎09-12-2013

Joseph,

Just one more question to clarify.

If I ran the script and I saw the following flow

SRCIP DSTIP APPLICATION PROT DIRN Start AvgBit/s AvgPkt/s

===================================================================================

194.75.202.233 80.229.108.65 0/0 ESP IN 09:03 432K 100

And then I ran the script 15mins later and I saw the following flow:

SRCIP DSTIP APPLICATION PROT DIRN Start AvgBit/s AvgPkt/s

===================================================================================

194.75.202.233 80.229.108.65 0/0 ESP IN 09:13 432K 100

Does that mean that between 09:03 and 09:12:59 the flow stopped and started again at 09:13?

Cheers

Carlton

Joe Clarke · ‎09-12-2013

It does look to be the case. It was likely purged from the cache, then started up again.

Carlton Patterson · ‎09-12-2013

Thanks again Joesph for that.

I wonder if you could shed some light on the following:

I ran the following command twice

show flow monitor FlowMonitor1 cache sort highest counter packets

In the first instance I got the following:

10.50.131.34 10.45.69.224 3009 161 Tu0 17 Gi0/1.10 Input 107 1 15:51:32.580

In the second instance

10.50.131.34 10.45.69.224 3009 161 Tu0 17 Gi0/1.10 Input 107 1 15:52:02.864

(please see attachment for better clarification)

Can you explain what is meant by 'time first'? If it means the time the first flow was recorded was 15:51:32.580 what does 15:52:02.864 time represent?

Thanks mate

Joe Clarke · ‎09-15-2013

This refers to the time the first packet in the flow was seen. So you're looking at two different flows in this output. Both appear to be SNMP, and likely just timing out of your cache between executions of the show flow monitor command.