What is the purpose of finding Top Talkers?
To sort out the source/destination IP which is generating higher traffic or utilising higher bandwidth, during the time of bandwidth choking.
(Ex. DOS attacks, abnormal higher bandwidth utilisation by applications, etc..)
How to find Top Talkers?
Step 1: change the terminal length value to 0
Step 2: start the logging process in your ssh/telnet client like putty, secure crt, applications.
Step 3: Enter "show ip cache flow" command. (It can be altered for getting interested traffic flow alone - Eg., show ip cache flow | include "IP address")
Step 4: Stop logging.
Step 5: Copy the output of this command from log file and paste it in a new Excel sheet.
Step 6: Select whole data column -> the whole column where the data is pasted
Step 7: Click Text to Columns under data tab
Step 8: Select Fixed Width and click next
Step 9: Click next, next, and finish. (now the data will be split into columns.
Step 10: Select first row and click filter under data tab
Step 11: Select Pkts menu and click "sort Largest to Smallest"
Step 12: Now the Top Talker List is ready.
Step 13: Based on this list, we can proceed with blocking of whole IP or blocking of particular port consuming higher bandwidth, and also we can proceed further with troubleshooting of security features in firewall and can enable shun command in firewall to avoid cpu utilization also.
More about show ip cache flow
CISCO Reference:
show ip cache flow
To display a summary of the NetFlow switching statistics, use the show ip cache flow command in EXEC mode.
show ip cache [prefix mask] [type number] [verbose] flow
Syntax Description
Command Modes
EXEC
Command History
Release | Modification |
---|---|
11.1 | This command was introduced. |
11.1 CA | The information display for the command was updated. |
Usage Guidelines
On platforms running Distributed Cisco Express Forwarding (dCEF), NetFlow cache information is maintained on each line card or Versatile Interface Processor. To display this information on a distributed platform by use of the show ip cache flow command, you must enter the command at a line card prompt.
Displaying NetFlow Cache Information on a Distributed Cisco 7500 Series Platform
To display NetFlow cache information using the show ip cache flow command on a Cisco 7500 series router that is running dCEF, enter the following sequence of commands:
Router# if-con slot-number
LC-slot-number# show ip cache [prefix mask] [type number] [verbose] flow
Displaying NetFlow Cache Information on a Distributed Cisco 12000 Series Platform
To display NetFlow cache information using the show ip cache flow command on a Cisco 12000 Series Internet router, you enter the following sequence of commands:
Router# attach slot-number
LC-slot-number# show ip cache [prefix mask] [type number] [verbose] flow
Examples
The following is an example display of a main cache using the show ip cache flow command:
Router# show ip cache flow
IP packet size distribution (230151 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.999 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
The output above shows the percentage distribution of packets by size range. In this display, 99.9 percent of the packets fall in the size range from 1 to 32 bytes.
IP Flow Switching Cache, 4456448 bytes
65509 active, 27 inactive, 820628747 added
955454490 ager polls, 0 flow alloc failures
Exporting flows to 1.1.15.1 (2057)
820563238 flows exported in 34485239 udp datagrams, 0 failed
last clearing of statistics 00:00:03
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-BGP 71 0.0 1 49 0.0 2.5 15.8
UDP-other 17 0.0 1 328 0.0 0.0 15.7
ICMP 18966 6.7 10 28 72.9 0.1 22.9
Total: 19054 6.7 10 28 72.9 0.1 22.9
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Et1/1 52.52.52.1 Fd4/0 42.42.42.1 01 55 10 3748
0000 /8 50 0000 /8 40 202.120.130.2 28 17.8
Et1/2 52.52.52.1 Fd4/0 42.42.42.1 01 CC 10 3568
0000 /8 50 0000 /8 40 202.120.130.2 28 17.8
Et1/2 10.1.3.2 Fd4/0 42.42.42.1 01 C0 10 1124
0000 /0 0 0000 /8 40 202.120.130.2 28 17.8
Et1/2 11.1.3.2 Fd4/0 42.42.42.1 01 C0 10 1157
0000 /0 0 0000 /8 40 202.120.130.2 28 17.7
Et1/2 14.1.3.2 Fd4/0 42.42.42.1 01 C0 10 1149
0000 /0 0 0000 /8 40 202.120.130.2 28 17.8
Et1/2 15.1.3.2 Fd4/0 42.42.42.1 01 C0 10 1127
0000 /0 0 0000 /8 40 202.120.130.2 28 17.7
Et1/2 12.1.3.2 Fd4/0 42.42.42.1 01 C0 10 1204
0000 /0 0 0000 /8 40 202.120.130.2 28 17.8
Et1/2 13.1.3.2 Fd4/0 42.42.42.1 01 C0 10 1159
0000 /0 0 0000 /8 40 202.120.130.2 28 17.8
Et1/2 18.1.3.2 Fd4/0 42.42.42.1 01 C0 10 1223
0000 /0 0 0000 /8 40 202.120.130.2 28 17.8
Et1/2 19.1.3.2 Fd4/0 42.42.42.1 01 C0 10 1264
0000 /0 0 0000 /8 40 202.120.130.2 28 17.8
Et1/2 16.1.3.2 Fd4/0 42.42.42.1 01 C0 10 1170
0000 /0 0 0000 /8 40 202.120.130.2 28 17.8
Et1/2 17.1.3.2 Fd4/0 42.42.42.1 01 C0 10 1167
0000 /0 0 0000 /8 40 202.120.130.2 28 17.8
Et1/2 22.1.3.2 Fd4/0 42.42.42.1 01 C0 10 1193
0000 /0 0 0000 /8 40 202.120.130.2 28 17.8
Et1/2 23.1.3.2 Fd4/0 42.42.42.1 01 C0 10 1212
0000 /0 0 0000 /8 40 202.120.130.2 28 17.7
Et1/1 50.50.50.1 Local 31.31.31.1 06 C0 18 2
00B3 /32 0 2AF8 /32 0 0.0.0.0 49 10.1
The following shows sample output from the show ip cache prefix mask flow command:
Router# show ip cache 10.0.0.1 256.0.0.0 flow
IP packet size distribution (25 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
The output above shows the percentage distribution of packets by size range. In this display, 100 percent of the packets fall in the128 byte range.
IP Flow Switching Cache, 4456704 bytes
1 active, 65535 inactive, 5 added
68 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
ICMP 4 0.0 5 100 0.0 0.0 15.2
Total: 4 0.0 5 100 0.0 0.0 15.2
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et1/2 10.0.0.2 Local 10.0.0.1 01 0000 0800 5
The following shows sample output from the show ip cache type number flow command:
Router# show ip cache e1/2 flow
IP packet size distribution (30 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
1 active, 65535 inactive, 6 added
85 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
ICMP 5 0.0 5 100 0.0 0.0 15.1
Total: 5 0.0 5 100 0.0 0.0 15.1
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et1/2 10.0.0.2 Local 10.0.0.1 01 0000 0800 5
Table 22 describes the significant fields shown in the flow switching cache lines of the displays.
Table 23 describes the significant fields shown in the activity by protocol lines of the display.
Table 24 describes the significant fields in the NetFlow record lines of the displays:
The following shows sample output from the show ip cache verbose flow command for interface e1/2 on 10.0.0.1 255.0.0.0:
Router# show ip cache 10.0.0.1 255.0.0.0 e1/2 verbose flow
IP packet size distribution (35 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
The output above show the percentage distribution of packets by size range. In this display,100 percent of the packets fall in the 138 byte size range.
IP Flow Switching Cache, 4456704 bytes
1 active, 65535 inactive, 7 added
99 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
ICMP 6 0.0 5 100 0.0 0.0 15.2
Total: 6 0.0 5 100 0.0 0.0 15.2
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
Et1/2 10.0.0.2 Local 10.0.0.1 01 00 10 5
0000 /8 0 0800 /8 0 0.0.0.0 100 0.0
Table 25 describes the significant fields in the NetFlow record lines of the display.
Related Commands
Command | Description |
---|---|
clear ip flow stats | Clears the NetFlow switching statistics. |
ip route-cache | Configures the router to export the flow cache entry to a workstation when a flow expires. |
Comments welcome @ narendren.s@gmail.com
FYI - Netflow is a cpu consuming process, just like debug command.
ReplyDeleteSo, be cautious before applying these commands.