Cisco Flexible Netflow (FNF) - "Top Talkers" Commands

From Tech-Wiki
Revision as of 05:07, 22 February 2013 by Jebr (Talk | contribs) (Using FNF Top N Talkers to analyse network traffic)

Jump to: navigation, search

General commands to show the FNF setup

show run flow exporter
show run flow monitor
show run flow record
show flow interface
show flow exporter
show flow monitor
show flow record

Using FNF Top N Talkers to analyse network traffic

No configuration tasks are associated with the Flexible NetFlow Top N Talkers Support feature - show commands only. There are three basic commands that can be used individually or combined to filter, aggregate and sort the flow monitor cache. The aggregate command aggregates the flow monitor cache data with a different record than the cache was created with. Note, when the top keyword is not used with a sort, the default number of sorted flows shown is 20.

show flow monitor <MONITOR NAME> cache filter options [regexp regexp] [...options [regexp regexp [format {csv | record | table}]
show flow monitor [name] monitor-name cache aggregate {options [...options] [collect options [...options]] | record record-name} [format {csv | record | table}]
show flow monitor [name] monitor-name cache sort options [top [number]][format {csv | record | table}]

Example Filter - filters the flow monitor cache data on the IPv4 type of service (ToS) value:

show flow monitor <MONITOR NAME> cache filter ipv4 tos regexp 0x(C0|50)

Example Aggreagate - Aggregates the flow monitor cache data on the IPv4 destination address and displays the cache data for the IPv4 protocol type and input interface nonkey fields:

show flow monitor <MONITOR NAME> cache aggregate ipv4 destination address collect ipv4 protocol interface input

Example Sort - Displays the cache data sorted on the number of packets from highest to lowest and limits the output to the three highest volume flows Displaying the Top N Talkers with Sorted Flow Data:

show flow monitor <MONITOR NAME> cache sort highest counter packets top 3

More complex examples

The following example combines filtering, aggregation, collecting additional field data, sorting the flow monitor cache data, and limiting the display output to a specific number of high volume flows (top talkers).

show flow monitor <MONITOR NAME> cache filter ipv4 protocol regexp (1|6)aggregate ipv4 destination address collect ipv4 protocol sort counter bytes top 4

The following example combines filtering using a regular expression, aggregation using a predefined record, sorting the flow monitor cache data, limiting the display output to a specific number of high volume flows (top talkers), and displaying the output in record format.

show flow monitor <MONITOR NAME> cache filter ipv4 source address regexp 10.* aggregate record netflow ipv4 protocol-port sort transport destination-port top 5 format record 

Example Filtering Using Multiple Filtering Criteria The following example filters the cache data on the IPv4 destination address and the destination port:

show flow monitor <MONITOR NAME> cache filter ipv4 destination address regexp 172.16.10* transport destination-port 21

Example Aggregation Using Multiple Aggregation Criteria The following example aggregates the flow monitor cache data on the destination and source IPv4 addresses:

show flow monitor <MONITOR NAME> cache aggregate ipv4 destination address ipv4 source address