Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to intepret Netflow data -- ip cache flow

Hi Everyone,

Our network is currently being bogged down and we're trying to get to the bottom of it. I enabled netflow on the router and see alot of information from the output. I do not have a server to dump the information to, so I am just trying to understand the output from the sh ip cache flow command. For example:

IP Flow Switching Cache, 278544 bytes

61 active, 4035 inactive, 156174 added

2905172 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 25800 bytes

0 active, 1024 inactive, 0 added, 0 added to flow

0 alloc failures, 0 force free

1 chunk, 1 chunk added

last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-Telnet 67 0.0 32 40 0.0 20.6 13.5

TCP-WWW 52273 0.0 45 1292 2.8 6.0 7.9

TCP-SMTP 646 0.0 81 46 0.0 6.0 1.7

TCP-X 106 0.0 1 40 0.0 0.3 13.1

TCP-NNTP 555 0.0 1 108 0.0 4.1 15.4

TCP-other 80317 0.0 8 416 0.8 2.9 10.4

UDP-DNS 125 0.0 1 116 0.0 0.4 15.5

UDP-NTP 69 0.0 1 76 0.0 0.0 15.5

UDP-TFTP 1 0.0 9 61 0.0 13.4 15.3

UDP-other 18532 0.0 13 529 0.2 7.6 15.4

ICMP 2647 0.0 2 61 0.0 1.1 15.4

IP-other 806 0.0 76 243 0.0 7.7 15.4

Total: 156144 0.1 21 1023 4.0 4.5 10.3

Does the Total Flows column show the current information, or is it over a time interval. It looks like most of my flows are in the TCP-other row. Is there a way to further tell what that information is.

Finally, I get information about the source Interface and destination interface. On the right side, it lists a number for Pckts. Does this show the machine currently using the most packets?

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Se0/0/1:0 38.116.36.22 Fa0/0 12.X.X.X 06 0050 0535 6040

My interface is NATed, so I use sh ip nat trans to match who's address is going to that 38.116.36.22 address. But I'm trying to understand if the sh ip cache flow shows what they were doing (www, ftp, tcp, etc...).

Thanks for your help!

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: How to intepret Netflow data -- ip cache flow

Hello Tom,

I think that the "Total Flows" means current value - is is number of flows (i.e TELNET sessions) that are in flow cache. The flow expires after "active/inactive" timeout.

The best solution is a netflow collector/analyzer which prepare a human style statistic for you. You can see the list of applications on the URL: http://netflow.caligare.com/applications.htm

You can also enable/use "top talkers" statistics in IOS. You need enable it before using. The IOS will dynamically create a top X matrix viewable via CLI.

Kind regards

Jan Nejman

Caligare, Co.

http://www.caligare.com/

2 REPLIES
New Member

Re: How to intepret Netflow data -- ip cache flow

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Se0/0/1:0 38.116.36.22 Fa0/0 12.X.X.X 06 0050 0535 6040

format means from se0/0 traffic passes to fa0/0 with port no mentioned -6040 packts

to search quickly

sh ip cache flow | inc (your match)

| means filter

used to filter your match from the cache

Bronze

Re: How to intepret Netflow data -- ip cache flow

Hello Tom,

I think that the "Total Flows" means current value - is is number of flows (i.e TELNET sessions) that are in flow cache. The flow expires after "active/inactive" timeout.

The best solution is a netflow collector/analyzer which prepare a human style statistic for you. You can see the list of applications on the URL: http://netflow.caligare.com/applications.htm

You can also enable/use "top talkers" statistics in IOS. You need enable it before using. The IOS will dynamically create a top X matrix viewable via CLI.

Kind regards

Jan Nejman

Caligare, Co.

http://www.caligare.com/

445
Views
0
Helpful
2
Replies
CreatePlease login to create content