Cisco Flexible Netflow (FNF) - "Top Talkers" Commands
General commands to show the FNF setup
show run flow exporter show run flow monitor show run flow record show flow interface show flow exporter show flow monitor show flow record
Using FNF Top N Talkers to analyse network traffic
No configuration tasks are associated with the Flexible NetFlow Top N Talkers Support feature - show commands only. There are three basic commands that can be used individually or combined to filter, aggregate and sort the flow monitor cache. The aggregate command aggregates the flow monitor cache data with a different record than the cache was created with. Note When the top keyword is not used with a sort, the default number of sorted flows shown is 20.
show flow monitor <MONITOR NAME> cache filter options [regexp regexp] [...options [regexp regexp [format {csv | record | table}] show flow monitor [name] monitor-name cache aggregate {options [...options] [collect options [...options]] | record record-name} [format {csv | record | table}] show flow monitor [name] monitor-name cache sort options [top [number]][format {csv | record | table}]
Example Filter - filters the flow monitor cache data on the IPv4 type of service (ToS) value:
show flow monitor <MONITOR NAME> cache filter ipv4 tos regexp 0x(C0|50)
Example Aggreagate - Aggregates the flow monitor cache data on the IPv4 destination address and displays the cache data for the IPv4 protocol type and input interface nonkey fields:
show flow monitor <MONITOR NAME> cache aggregate ipv4 destination address collect ipv4 protocol interface input
Example Sort - Displays the cache data sorted on the number of packets from highest to lowest and limits the output to the three highest volume flows Displaying the Top N Talkers with Sorted Flow Data:
show flow monitor <MONITOR NAME> cache sort highest counter packets top 3
More complex examples
The following example combines filtering, aggregation, collecting additional field data, sorting the flow monitor cache data, and limiting the display output to a specific number of high volume flows (top talkers).
show flow monitor <MONITOR NAME> cache filter ipv4 protocol regexp (1|6)aggregate ipv4 destination address collect ipv4 protocol sort counter bytes top 4
The following example combines filtering using a regular expression, aggregation using a predefined record, sorting the flow monitor cache data, limiting the display output to a specific number of high volume flows (top talkers), and displaying the output in record format.
show flow monitor <MONITOR NAME> cache filter ipv4 source address regexp 10.* aggregate record netflow ipv4 protocol-port sort transport destination-port top 5 format record
Example Filtering Using Multiple Filtering Criteria The following example filters the cache data on the IPv4 destination address and the destination port:
show flow monitor <MONITOR NAME> cache filter ipv4 destination address regexp 172.16.10* transport destination-port 21
Example Aggregation Using Multiple Aggregation Criteria The following example aggregates the flow monitor cache data on the destination and source IPv4 addresses:
show flow monitor <MONITOR NAME> cache aggregate ipv4 destination address ipv4 source address