-
Flexible Netflow Configuration Guide, Cisco IOS Release 12.4T
-
Cisco IOS Flexible NetFlow Overview
-
Getting Started with Configuring Cisco IOS Flexible NetFlow
-
Configuring Cisco IOS Flexible NetFlow with Predefined Records
-
Configuring Data Export for Flexible NetFlow with Flow Exporters
-
Customizing Flexible NetFlow Flow Records and Flow Monitors
-
Configuring IPv4 Multicast Statistics Support for Flexible NetFlow
-
Using Flexible NetFlow Top N Talkers to Analyze Network Traffic
-
Using Flexible NetFlow Flow Sampling
-
Feedback
Contents
- Using Flexible NetFlow Top N Talkers to Analyze Network Traffic
- Finding Feature Information
- Prerequisites for Flexible NetFlow Top N Talkers
- Information About Flexible NetFlow Top N Talkers
- Flexible NetFlow Data Flow Filtering
- Flexible NetFlow Data Flow Aggregation
- Flow Sorting and Top N Talkers
- Documented Flexible NetFlow Top N Talkers Command Names and Actual Syntax
- Combined Use of Flow Filtering and Flow Aggregation and Flow Sorting with Top N Talkers
- Memory and Performance Impact of Top N Talkers
- How to Analyze Network Traffic Using Flexible NetFlow Top N Talkers
- Filtering Flow Data from the Flexible NetFlow Cache
- Aggregating Flow Data from the Flexible NetFlow Cache
- Sorting Flow Data from the Flexible NetFlow Cache
- Displaying the Top N Talkers with Sorted Flow Data
- Configuration Examples for Flexible NetFlow Top N Talkers
- Example Displaying the Top Talkers with Filtered and Aggregated and Sorted Flow Data
- Example Filtering Using Multiple Filtering Criteria
- Example Aggregation Using Multiple Aggregation Criteria
- Additional References
- Feature Information for Flexible NetFlow Top N Talkers
Using Flexible NetFlow Top N Talkers to Analyze Network Traffic
This document contains information about and instructions for using the Flexible NetFlow--Top N Talkers Support feature. The Flexible NetFlow--Top N Talkers Support feature helps you analyze the large amount of data that Flexible NetFlow captures from the traffic in your network by providing the ability to filter, aggregate, and sort the data in the Flexible NetFlow cache as you display it. When you are sorting and displaying the data in the cache, you can limit the display output to a specific number of entries with the highest values (Top N Talkers) for traffic volume, packet counters, and so on. The Flexible NetFlow--Top N Talkers Support feature facilitates real-time traffic analysis by requiring only the use of show commands, which can be entered in many different variations using the available keywords and arguments to meet your traffic data analysis requirements.
NetFlow is a Cisco IOS technology that provides statistics on packets flowing through the router. NetFlow is the standard for acquiring IP operational data from IP networks. NetFlow provides data to support network and security monitoring, network planning, traffic analysis, and IP accounting.
Flexible NetFlow improves on original NetFlow by adding the capability to customize the traffic analysis parameters for your specific requirements. Flexible NetFlow facilitates the creation of more complex configurations for traffic analysis and data export through the use of reusable configuration components.
- Finding Feature Information
- Prerequisites for Flexible NetFlow Top N Talkers
- Information About Flexible NetFlow Top N Talkers
- How to Analyze Network Traffic Using Flexible NetFlow Top N Talkers
- Configuration Examples for Flexible NetFlow Top N Talkers
- Additional References
- Feature Information for Flexible NetFlow Top N Talkers
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Flexible NetFlow Top N Talkers
- You are familiar with the information in the " Cisco IOS Flexible NetFlow Overview " module.
- The networking device is running a Cisco IOS release that supports the Flexible NetFlow--Top N Talkers Support feature. See the Feature Information for Flexible NetFlow Top N Talkers for a list of Cisco IOS software releases that support Flexible NetFlow.
No configuration tasks are associated with the Flexible NetFlow--Top N Talkers Support feature. Therefore, in order for you to use the Flexible NetFlow--Top N Talkers Support feature, traffic analysis with Flexible NetFlow must already be configured about the networking device.
Information About Flexible NetFlow Top N Talkers
- Flexible NetFlow Data Flow Filtering
- Flexible NetFlow Data Flow Aggregation
- Flow Sorting and Top N Talkers
- Documented Flexible NetFlow Top N Talkers Command Names and Actual Syntax
- Combined Use of Flow Filtering and Flow Aggregation and Flow Sorting with Top N Talkers
- Memory and Performance Impact of Top N Talkers
Flexible NetFlow Data Flow Filtering
The flow filtering function of the Flexible NetFlow--Top N Talkers Support feature filters the flow data in a flow monitor cache based on the criteria that you specify, and displays the data.
The flow filtering function of the Flexible NetFlow--Top N Talkers Support feature is provided by the show flow monitor cache filter command. For more information on the show flow monitor cache filter command, refer to the Cisco IOS Flexible NetFlow Command Reference.
Flexible NetFlow Data Flow Aggregation
Flow aggregation using the show flow monitor cache aggregate command allows you to dynamically view the flow information in a cache using a different flow record than the cache was originally created from. Only the fields in the cache will be available for the aggregated flows.
The flow aggregation function of the Flexible NetFlow--Top N Talkers Support feature is provided by the show flow monitor cache aggregate command. For more information on the show flow monitor cache aggregate command, refer to the Cisco IOS Flexible NetFlow Command Reference.
Flow Sorting and Top N Talkers
The flow sorting function of the Flexible NetFlow--Top N Talkers Support feature sorts flow data from the Flexible NetFlow cache based on the criteria that you specify and displays the data. You can also use the flow sorting function of the Flexible NetFlow--Top N Talkers Support feature to limit the display output to a specific number of entries (top n talkers, where n is the number or talkers to display) by using the top keyword.
The flow sorting and Top N Talkers function of the Flexible NetFlow--Top N Talkers Support feature is provided by the show flow monitor cache sort command. For more information on the show flow monitor cache sort command, refer to the Cisco IOS Flexible NetFlow Command Reference.
Documented Flexible NetFlow Top N Talkers Command Names and Actual Syntax
The three commands that make up the Flexible NetFlow--Top N Talkers Support feature are documented using the Cisco documentation convention of using the initial words in the CLI syntax, omitting a subsequent words in the CLI syntax, and using a word in the CLI syntax that follows the omitted words. Therefore the syntax that you use for entering the commands is different from the actual documented command name. The table below shows the documented commands names and the actual command CLI syntax. The monitor-name argument is the name of a flow monitor that was previously configured.
| Table 1 | Documented Command Names and Actual Command Syntax |
|
Documented Command Name |
Actual CLI Syntax for Using the Command |
|---|---|
|
show flow monitor cache filter |
show flow monitor monitor-name cache filter |
|
show flow monitor cache aggregation |
show flow monitor monitor-name cache aggregation |
|
show flow monitor cache sort |
show flow monitor monitor-name cache sort |
Combined Use of Flow Filtering and Flow Aggregation and Flow Sorting with Top N Talkers
Although each of the show commands that make up the Flexible NetFlow--Top N Talkers Support feature can be used individually for traffic analysis, they provide much greater analytical capabilities when they are used together. When you use any combination of the three show commands, you enter only the common prefix of show flow monitor monitor-name cachefollowed by filter, aggregation, sort, and the arguments and keywords available for filter, aggregation, sort, as required. For example,
show flow monitor monitor-name cache filter options aggregation options sort options
where options is any permissible combination of arguments and keywords. See the Configuration Examples for Flexible NetFlow Top N Talkers for more information.
Memory and Performance Impact of Top N Talkers
The Flexible NetFlow--Top N Talkers Support feature can use a large number of CPU cycles and possibly also system memory for a short time. However, because the Flexible NetFlow--Top N Talkers Support feature uses only show commands, the CPU usage should be run at a low priority because no real-time data processing is involved. The memory usage can be mitigated by using a larger granularity of aggregation, or no aggregation at all.
How to Analyze Network Traffic Using Flexible NetFlow Top N Talkers
- Filtering Flow Data from the Flexible NetFlow Cache
- Aggregating Flow Data from the Flexible NetFlow Cache
- Sorting Flow Data from the Flexible NetFlow Cache
- Displaying the Top N Talkers with Sorted Flow Data
Filtering Flow Data from the Flexible NetFlow Cache
This task shows you how to use the show flow monitor cache filter command with a regular expression to filter the flow monitor cache data, and display the results. For more information on regular expressions and the show flow monitor cache filter command, refer to the Cisco IOS Flexible NetFlow Command Reference.
To filter the flow monitor cache data using a regular expression and display the results, perform the following task.
DETAILED STEPS
| Step 1 |
enable
Enters privileged EXEC mode. Example:
Router> enable
|
| Step 2 |
show
flow
monitor
[name]
monitor-name
cache
filter
options [regexp
regexp] [...options [regexp
regexp]] [format {csv |
record |
table}]
Filters the flow monitor cache data on the IPv4 type of service (ToS) value. Example:
Router# show flow monitor FLOW-MONITOR-3 cache filter ipv4 tos regexp 0x(C0|50)
Cache type: Normal
Cache size: 4096
Current entries: 19
High Watermark: 38
Flows added: 3516
Flows aged: 3497
- Active timeout ( 1800 secs) 52
- Inactive timeout ( 15 secs) 3445
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IPV4 SOURCE ADDRESS: 10.1.1.1
IPV4 DESTINATION ADDRESS: 255.255.255.255
TRNS SOURCE PORT: 520
TRNS DESTINATION PORT: 520
INTERFACE INPUT: Et0/0
FLOW SAMPLER ID: 0
IP TOS: 0xC0
IP PROTOCOL: 17
ip source as: 0
ip destination as: 0
ipv4 next hop address: 0.0.0.0
ipv4 source mask: /24
ipv4 destination mask: /0
tcp flags: 0x00
interface output: Null
counter bytes: 52
counter packets: 1
timestamp first: 18:59:46.199
timestamp last: 18:59:46.199
Matched 1 flow
|
Aggregating Flow Data from the Flexible NetFlow Cache
This task shows you how to use the show flow monitor cache aggregate command to aggregate the flow monitor cache data with a different record than the cache was created with, and display the results. For more information on the show flow monitor cache aggregate command, refer to the Cisco IOS Flexible NetFlow Command Reference.
To aggregate the flow monitor cache data and display the results, perform the following task.
DETAILED STEPS
| Step 1 |
enable
Enters privileged EXEC mode. Example:
Router> enable
|
| Step 2 |
show
flow
monitor
[name]
monitor-name
cache
aggregate {options [...options] [collect
options [...options]] |
record
record-name} [format {csv |
record |
table}]
Aggregates the flow monitor cache data on the IPv4 destination address and displays the cache data for the IPv4 protocol type and input interface nonkey fields: Example: Router# show flow monitor FLOW-MONITOR-3 cache aggregate ipv4 destination address collect ipv4 protocol interface input Processed 17 flows Aggregated to 7 flows IPV4 DST ADDR intf input flows bytes pkts ip prot =============== ==================== ========== ========== ========== ======= 224.192.16.4 Et0/0 3 42200 2110 1 224.192.16.1 Et0/0 3 17160 858 1 224.192.18.1 Et0/0 4 18180 909 1 224.192.45.12 Et0/0 4 14440 722 1 255.255.255.255 Et0/0 1 52 1 17 224.0.0.13 Et0/0 1 54 1 103 224.0.0.1 Et0/0 1 28 1 2 |
Sorting Flow Data from the Flexible NetFlow Cache
This task shows you how to use the show flow monitor cache sort command to sort the flow monitor cache data, and display the results. For more information on the show flow monitor cache sort command, refer to the Cisco IOS Flexible NetFlow Command Reference.
To sort the flow monitor cache data and display the results, perform the following task.
DETAILED STEPS
Displaying the Top N Talkers with Sorted Flow Data
This task shows you how to use the show flow monitor cache sort command to sort the flow monitor cache data, and to limit the display results to a specific number of high volume flows. For more information on the show flow monitor cache sort command, refer to the Cisco IOS Flexible NetFlow Command Reference.
To sort the flow monitor cache data and limit the display output using to a specific number of high volume flows, perform the following task.
DETAILED STEPS
| Step 1 |
enable
Enters privileged EXEC mode. Example:
Router> enable
|
| Step 2 |
show
flow
monitor
[name]
monitor-name
cache
sort
options [top [number]][format {csv |
record |
table}]
Displays the cache data sorted on the number of packets from highest to lowest and limits the output to the three highest volume flows: Example:
Router# show flow monitor FLOW-MONITOR-1 cache sort highest counter packets top 3
Processed 25 flows
Aggregated to 25 flows
Showing the top 3 flows
IPV4 SOURCE ADDRESS: 10.1.1.3
IPV4 DESTINATION ADDRESS: 172.16.10.11
TRNS SOURCE PORT: 443
TRNS DESTINATION PORT: 443
INTERFACE INPUT: Et0/0.1
FLOW SAMPLER ID: 0
IP TOS: 0x00
IP PROTOCOL: 6
ip source as: 0
ip destination as: 0
ipv4 next hop address: 172.16.7.2
ipv4 source mask: /0
ipv4 destination mask: /24
tcp flags: 0x00
interface output: Et1/0.1
counter bytes: 32360
counter packets: 1897
timestamp first: 19:42:32.924
timestamp last: 20:03:47.100
IPV4 SOURCE ADDRESS: 10.10.11.2
IPV4 DESTINATION ADDRESS: 172.16.10.6
TRNS SOURCE PORT: 65
TRNS DESTINATION PORT: 65
INTERFACE INPUT: Et0/0.1
FLOW SAMPLER ID: 0
IP TOS: 0x00
IP PROTOCOL: 6
ip source as: 0
ip destination as: 0
ipv4 next hop address: 172.16.7.2
ipv4 source mask: /0
ipv4 destination mask: /24
tcp flags: 0x00
interface output: Et1/0.1
counter bytes: 32360
counter packets: 809
timestamp first: 19:42:34.264
timestamp last: 20:03:48.460
IPV4 SOURCE ADDRESS: 172.16.1.84
IPV4 DESTINATION ADDRESS: 172.16.10.19
TRNS SOURCE PORT: 80
TRNS DESTINATION PORT: 80
INTERFACE INPUT: Et0/0.1
FLOW SAMPLER ID: 0
IP TOS: 0x00
IP PROTOCOL: 6
ip source as: 0
ip destination as: 0
ipv4 next hop address: 172.16.7.2
ipv4 source mask: /24
ipv4 destination mask: /24
tcp flags: 0x00
interface output: Et1/0.1
counter bytes: 32320
counter packets: 345
timestamp first: 19:42:34.512
timestamp last: 20:03:47.140
|
Configuration Examples for Flexible NetFlow Top N Talkers
- Example Displaying the Top Talkers with Filtered and Aggregated and Sorted Flow Data
- Example Filtering Using Multiple Filtering Criteria
- Example Aggregation Using Multiple Aggregation Criteria
Example Displaying the Top Talkers with Filtered and Aggregated and Sorted Flow Data
The following example combines filtering, aggregation, collecting additional field data, sorting the flow monitor cache data, and limiting the display output to a specific number of high volume flows (top talkers).
Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 protocol regexp (1|6) aggregate ipv4 destination address collect ipv4 protocol sort counter bytes top 4
Processed 26 flows
Matched 26 flows
Aggregated to 13 flows
Showing the top 4 flows
IPV4 DST ADDR flows bytes pkts
=============== ========== ========== ==========
172.16.10.2 12 1358370 6708
172.16.10.19 2 44640 1116
172.16.10.20 2 44640 1116
172.16.10.4 1 22360 559
The following example combines filtering using a regular expression, aggregation using a predefined record, sorting the flow monitor cache data, limiting the display output to a specific number of high volume flows (top talkers), and displaying the output in record format.
Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 source address regexp 10.* aggregate record netflow ipv4 protocol-port sort transport destination-port top 5 format record
Processed 26 flows
Matched 15 flows
Aggregated to 10 flows
Showing the top 5 flows
TRNS SOURCE PORT: 0
TRNS DESTINATION PORT: 0
FLOW DIRECTION: Input
IP PROTOCOL: 1
counter flows: 1
counter bytes: 387800
counter packets: 700
timestamp first: 17:12:30.712
timestamp last: 17:30:52.936
TRNS SOURCE PORT: 20
TRNS DESTINATION PORT: 20
FLOW DIRECTION: Input
IP PROTOCOL: 6
counter flows: 2
counter bytes: 56000
counter packets: 1400
timestamp first: 17:12:29.532
timestamp last: 17:30:53.148
TRNS SOURCE PORT: 21
TRNS DESTINATION PORT: 21
FLOW DIRECTION: Input
IP PROTOCOL: 6
counter flows: 2
counter bytes: 56000
counter packets: 1400
timestamp first: 17:12:29.572
timestamp last: 17:30:53.196
TRNS SOURCE PORT: 22
TRNS DESTINATION PORT: 22
FLOW DIRECTION: Input
IP PROTOCOL: 6
counter flows: 1
counter bytes: 28000
counter packets: 700
timestamp first: 17:12:29.912
timestamp last: 17:30:52.168
TRNS SOURCE PORT: 25
TRNS DESTINATION PORT: 25
FLOW DIRECTION: Input
IP PROTOCOL: 6
counter flows: 2
counter bytes: 56000
counter packets: 1400
timestamp first: 17:12:29.692
timestamp last: 17:30:51.968
Example Filtering Using Multiple Filtering Criteria
The following example filters the cache data on the IPv4 destination address and the destination port:
Router# show flow monitor FLOW-MONITOR-1 cache filter ipv4 destination address regexp 172.16.10* transport destination-port 21
Cache type: Normal
Cache size: 4096
Current entries: 26
High Watermark: 26
Flows added: 241
Flows aged: 215
- Active timeout ( 1800 secs) 50
- Inactive timeout ( 15 secs) 165
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IPV4 SOURCE ADDRESS: 10.10.10.2
IPV4 DESTINATION ADDRESS: 172.16.10.2
TRNS SOURCE PORT: 21
TRNS DESTINATION PORT: 21
INTERFACE INPUT: Et0/0.1
FLOW SAMPLER ID: 0
IP TOS: 0x00
IP PROTOCOL: 6
ip source as: 0
ip destination as: 0
ipv4 next hop address: 172.16.7.2
ipv4 source mask: /0
ipv4 destination mask: /24
tcp flags: 0x00
interface output: Et1/0.1
counter bytes: 17200
counter packets: 430
timestamp first: 17:03:58.071
timestamp last: 17:15:14.615
IPV4 SOURCE ADDRESS: 172.30.231.193
IPV4 DESTINATION ADDRESS: 172.16.10.2
TRNS SOURCE PORT: 21
TRNS DESTINATION PORT: 21
INTERFACE INPUT: Et0/0.1
FLOW SAMPLER ID: 0
IP TOS: 0x00
IP PROTOCOL: 6
ip source as: 0
ip destination as: 0
ipv4 next hop address: 172.16.7.2
ipv4 source mask: /0
ipv4 destination mask: /24
tcp flags: 0x00
interface output: Et1/0.1
counter bytes: 17160
counter packets: 429
timestamp first: 17:03:59.963
timestamp last: 17:15:14.887
Matched 2 flows
Example Aggregation Using Multiple Aggregation Criteria
The following example aggregates the flow monitor cache data on the destination and source IPv4 addresses:
Router# show flow monitor FLOW-MONITOR-1 cache aggregate ipv4 destination address ipv4 source address
Processed 26 flows
Aggregated to 17 flows
IPV4 SRC ADDR IPV4 DST ADDR flows bytes pkts
=============== =============== ========== ========== ==========
10.251.10.1 172.16.10.2 2 1400828 1364
192.168.67.6 172.16.10.200 1 19096 682
10.234.53.1 172.16.10.2 3 73656 2046
172.30.231.193 172.16.10.2 3 73616 2045
10.10.10.2 172.16.10.2 2 54560 1364
192.168.87.200 172.16.10.2 2 54560 1364
10.10.10.4 172.16.10.4 1 27280 682
10.10.11.1 172.16.10.5 1 27280 682
10.10.11.2 172.16.10.6 1 27280 682
10.10.11.3 172.16.10.7 1 27280 682
10.10.11.4 172.16.10.8 1 27280 682
10.1.1.1 172.16.10.9 1 27280 682
10.1.1.2 172.16.10.10 1 27280 682
10.1.1.3 172.16.10.11 1 27280 682
172.16.1.84 172.16.10.19 2 54520 1363
172.16.1.85 172.16.10.20 2 54520 1363
172.16.6.1 224.0.0.9 1 52 1
Additional References
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
Overview of Flexible NetFlow |
"Cisco IOS Flexible NetFlow Overview" |
|
Configuring flow exporters to export Flexible NetFlow data |
"Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters" |
|
Customizing Flexible NetFlow |
"Customizing Cisco IOS Flexible NetFlow Flow Records and Flow Monitors" |
|
Configuring flow sampling to reduce the overhead of monitoring traffic with Flexible NetFlow |
"Using Cisco IOS Flexible NetFlow Flow Sampling to Reduce the CPU Overhead of Analyzing Traffic" |
|
Configuring Flexible NetFlow using predefined records |
"Configuring Cisco IOS Flexible NetFlow with Predefined Records" |
|
Configuring IPv4 multicast statistics support for Flexible NetFlow |
"Configuring IPv4 Multicast Statistics Support for Cisco IOS Flexible NetFlow" |
|
Configuration commands for Flexible NetFlow |
Cisco IOS Flexible NetFlow Command Reference |
MIBs
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Flexible NetFlow Top N Talkers
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
| Table 2 | Feature Information for Flexible NetFlow |
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Flexible NetFlow--Top N Talkers Support |
12.2(33)SRE 12.2(50)SY 12.4(22)T 15.0(1)SY |
Helps you analyze the large amount of data Flexible NetFlow captures from the traffic in your network by providing the ability to filter, aggregate, and sort the data in the Flexible NetFlow cache as you display it. Support for this feature was added for Cisco 7200 and 7300 Network Processing Engine (NPE) series routers in Cisco IOS Release 12.2(33)SRE. The following commands were introduced or modified: show flow monitor cache aggregate, show flow monitor cache filter, show flow monitor cache sort. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.