Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need Help on command show ip cache flow

Hello Friends,

I need some help on this command 'show ip cache flow' , here i give u output of that command ,,,,

IP packet size distribution (650247 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .732 .185 .004 .001 .001 .003 .003 .002 .001 .001 .001 .002 .001 .001

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.004 .000 .000 .006 .040 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes

1346 active, 2750 inactive, 257723 added

3322697 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 21640 bytes

1 active, 1023 inactive, 2 added, 2 added to flow

0 alloc failures, 0 force free

1 chunk, 1 chunk added

last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-Telnet 25 0.0 16 42 0.1 8.2 13.3

TCP-FTP 61 0.0 4 50 0.0 7.2 12.9

TCP-FTPD 5 0.0 1 48 0.0 1.7 15.6

TCP-WWW 9380 2.8 12 432 33.9 6.2 9.4

TCP-SMTP 1636 0.4 3 70 1.4 8.9 15.7

TCP-NNTP 75 0.0 2 84 0.0 4.3 15.5

TCP-other 175370 52.5 1 51 101.0 2.5 15.7

UDP-DNS 14120 4.2 1 65 7.2 2.1 15.8

UDP-NTP 181 0.0 1 76 0.0 0.1 15.7

UDP-TFTP 12 0.0 6 49 0.0 30.0 15.7

UDP-other 51706 15.4 2 82 42.8 1.2 15.9

ICMP 3730 1.1 1 69 2.2 4.3 15.6

IP-other 76 0.0 45 177 1.0 39.9 15.6

Total: 256377 76.7 2 127 190.1 2.4 15.5

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Gi0/1 10.217.0.54 Mu24 10.10.3.191 11 00A1 0F52 3

Gi0/1 10.215.3.123 Null 10.215.54.149 06 07F8 01BD 1

Gi0/1 10.215.3.123 Null 10.215.54.42 06 0754 01BD 2

In this output 1 or2 line with Gi0/1 192.100.100.9 Null 192.100.100.255 11 0089 0089 1710

Gi0/1 192.100.100.14 Null 192.100.100.255 11 008A 008A 7

Gi0/1 192.100.100.14 Null 192.100.100.255 11 0089 0089 131

Gi0/1 192.100.100.3 Null 192.100.100.255 11 0089 0089 10

Gi0/1 10.215.3.249 Null 10.215.155.131 06 0BB6 01BD 2

Gi0/1 192.100.100.6 Null 192.100.100.255 11 0089 0089 1440

what it meance coz it isgiving me brodcast address in destination address and i think here is the prob whihc effect on my CPU utilization and even this is not roted network in our network,,

Pls help me for this

Thanking You,

Chirag Pandya

4 REPLIES

Re: Need Help on command show ip cache flow

Hi Chirag

The port numbers mentioned in the output clearly shows that its related to 137/138.

008A -- 138

0089 -- 137

I suspect it may be due to well known blaster worm which uses TCP/UDP ports 137,138,139 and 593.

IT also uses TCP 135 and UDP 69 (TFTP) port,i would suggest here to apply the required ACLs and check out for the fresh output.

you can use this link which will guide you in the mitigation process.

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801aedd6.html

regds

New Member

Re: Need Help on command show ip cache flow

hi edwin,

I am eager to know how did u find out the port nos . from output of "sh ip cache flow" as:-

008A -- 138 ---- ???

0089 -- 137 ---- ???

Hall of Fame Super Silver

Re: Need Help on command show ip cache flow

The port numbers in the output are given in hex format. If you convert 008a from hex into decimal the result is 138. And if you conver 0089 from hex into decimal the result is 137.

You could work through the binary values to do the conversion. Or there is an arithmetic method of converting hex to decimal. But the easy way to convert is to get a calculator that displays hex and decimal and use it to convert. (The Windows calculator in scientific view does this very well.)

HTH

Rick

New Member

Re: Need Help on command show ip cache flow

Hi Rick,

Thank you very much for your help.

Once again Cisco technology is great !!!!!!

1025
Views
4
Helpful
4
Replies
CreatePlease login to create content