NetFlow Top Talkers

Who's Doing What? A Quick Way to Check

In the last post, we discussed some of the basic ideas behind NetFlow, which is sort of like the Swiss Army Knife of network visibility tools. In this post, keeping with the spirit of "quick-and-easy" ways to improve your productivity, we'll look at some of the CLI tools for use with NetFlow.My favorite one is the top talkers feature. How many times have you wondered what hosts or applications are using bandwidth on a link? The top talkers feature makes it easy to see. First, you need to activate NetFlow on the relevant interfaces. You do this by applying the "ip flow ingress" command, in interface configuration mode. test#sh run int f0/0.134 | i int|ip flowNext, you enable to top talkers feature:test#sh run | section top-talkersYou can specify how many top talkers to cache, and the attribute by which to sort. Note the use of the "section" output modifier: we didn't discuss this in the previous blog post on output modifiers, but it's incredibly useful.All you need to do from here is issue the "show ip flow top-talkers" command:test#sh ip flow top-talkersSrcIf         SrcIPaddress    DstIf         DstIPaddress   Pr SrcP DstP BytesSe0/0:1  Fa0/0.134   06 0050 05C0  8599KSe0/0:1  Fa0/0.134*   06 0050 05C0  8599KSe0/0:1   Fa0/0.134   06 0050 0D83  7119KSe0/0:1   Fa0/0.134*   06 0050 0D83  7119KSe0/0:1  Fa0/0.134   06 0050 0954  1584KSe0/0:1  Fa0/0.134*   06 0050 0954  1584KThe output here is pretty self-explanatory. The only part that can be a little tricky is that the protocol, source port, and destination port fields are shown in hexadecimal. In this example, all of the flows are TCP flows; TCP is IP protocol 6. UDP flows would be listed as "11"; 11 in hex is 17 in base 10, and UDP is IP protocol 17. The source port in each of these is 0x50 (that's short for hexadecimal 50), which converts to 80 in base 10. As you know, TCP port 80 is used for HTTP. Thus, in these flows we're seeing traffic from web servers at and going to three different HTTP clients. As we discussed in the previous post, NetFlow is application-agnostic: to be strictly technically correct, we can't know for certain that this is actually HTTP traffic without looking at the application layer; it could be some other service running on port 80. Most likely, however, it's HTTP.If you want to view the entire active NetFlow cache, use the "show ip cache flow" command. I find this particularly useful if I'm looking for smaller flows that might not show up in the top X talkers. The protocol and packet size statistics can also be handy if you're troubleshooting those types of problems:testB#sh ip cache flowIP packet size distribution (50401M total packets):   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480   .000 .296 .028 .088 .027 .015 .023 .016 .025 .004 .003 .004 .004 .004 .004    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608   .003 .074 .004 .018 .348 .000 .000 .000 .000 .000 .000[output omitted]Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /FlowTCP-Telnet       84488      0.0         3    59      0.0       2.3      13.4TCP-FTP         824292      0.1        14    61      2.8       3.5       4.1TCP-FTPD       1152377      0.2        45   880     12.0       0.5       1.8TCP-WWW      653021156    152.0        36   777   5610.5       4.2       7.2TCP-SMTP     270501418     62.9         9   351    618.2       4.5       4.2[output omitted]GRE             164626      0.0        68   388      2.6      14.1      15.8IP-other      14789920      3.4       288   449    993.4      49.9      15.4Total:      2610739055    607.8        19   607  11734.9       2.5      12.2SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  PktsGi0/1.9   Gi0/0* 06 495F 7194   222 I deleted a bunch of output here for brevity, but you can see the main sections: a statistical distribution of packet sizes, a statistical distribution of common protocol types, and a raw list of entries in the NetFlow cache. The number of entries in the flow cache can be quite large; you'll definitely need to use output modifiers to filter this in a production environment.

interface FastEthernet0/0.134              

 ip flow ingress                           

In older IOS versions, the "ip flow ingress" command was "ip route-cache flow". This older version still works fine, but it's considered deprecated and the newer version is preferable. There's also an "ip flow egress" command that can be used with collectors that understand flow directionality.

ip flow-top-talkers

 top 10

 sort-by bytes

[output omitted]


Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022