This is a short article on the NetFlow “top-talkers” CLI feature, which I didn’t know about before today. NetFlow is a tool for monitoring traffic flows, it’s particulalry handy when you’re trying to find out what host or protocol is saturating a network. Obviously the pretty GUI NetFlow collectors are better for many things, but the CLI method can be really helpful if you’re looking for something quickly. Here’s the config:

Here’s the config from my outside interface.

interface FastEthernet0/0
 description OUTSIDE
 ip address xx.xx.29.218 255.255.255.248
 ip flow ingress
 ip flow egress

I’ve enabled NetFlow with the “ip flow” commands.

Here are the commands to enable the “top-talkers” feature at the CLI.

EDGE(config)#ip flow-top-talkers
EDGE(config-flow-top-talkers)# top 25
EDGE(config-flow-top-talkers)# sort-by bytes
EDGE(config-flow-top-talkers)# cache-timeout 5000
EDGE(config-flow-top-talkers)#^Z

Pretty simple, we’ve set how many conversations to show, then we can sort by bytes or packets, finally we set our timeout (in milliseconds).

Now we’ll look at the show command:

EDGE#sh ip flow top-talkers
 
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Fa0/1         xx.xx.29.221    Fa0/0*        212.84.105.94   06 F6B9 9C40    77K
Fa0/1         xx.xx.29.218    Fa0/0*        66.194.235.133  06 01BB EF24    12K
Fa0/1         xx.xx.29.221    Fa0/0*        85.24.163.125   06 7F23 EC43    10K
Fa0/1         xx.xx.29.221    Fa0/0*        114.89.235.172  06 7F23 0CB7  9216
Fa0/0         72.211.212.180  Fa0/1         xx.xx.29.221    06 EC74 7F23  5088
Fa0/0         66.194.235.133  Fa0/1         xx.xx.29.218    06 EF24 01BB  2680
Fa0/0         121.127.209.73  Fa0/1         xx.xx.29.221    06 0E20 7F23  2297
Fa0/1         xx.xx.29.221    Fa0/0*        121.127.209.73  06 7F23 0E20  2162
Fa0/0         87.194.215.124  Fa0/1         xx.xx.29.221    06 C220 7F23  2100
Fa0/1         xx.xx.29.221    Fa0/0*        87.194.215.124  06 7F23 C220  2072
Local         xx.xx.29.218    Fa0/0*        70.71.239.87    32 033B B7EC  2000
Fa0/0         88.193.80.142   Fa0/1         xx.xx.29.221    06 D788 7F23  1838
Fa0/1         xx.xx.29.221    Fa0/0*        88.193.80.142   06 7F23 D788  1832
Fa0/1         xx.xx.29.221    Fa0/0*        70.64.13.242    06 7F23 F5BC  1717
Fa0/0         212.84.105.94   Fa0/1         xx.xx.29.221    06 9C40 F6B9  1276
Fa0/0         70.64.13.242    Fa0/1         xx.xx.29.221    06 F5BC 7F23  1067
Fa0/1         xx.xx.29.218    Fa0/0*        74.125.67.149   06 1853 0050   872
Fa0/1         xx.xx.29.221    Fa0/0*        217.145.245.245 06 7F23 8736   868
Fa0/0         70.177.163.148  Local         xx.xx.29.218    2F 0000 0000   816
Fa0/0         24.11.68.215    Fa0/1         xx.xx.29.221    06 DABF 7F23   767
Fa0/0         81.234.172.49   Fa0/1         xx.xx.29.221    06 08A8 7F23   617
Tu103         xx.xx.29.218    Fa0/0*        65.120.117.126  32 0CED D9C9   616
Fa0/0         74.125.67.149   Fa0/1         xx.xx.29.218    06 0050 1853   594
Fa0/1         xx.xx.29.221    Fa0/0*        81.234.172.49   06 7F23 08A8   499
Fa0/0         85.68.237.69    Fa0/1         xx.xx.29.221    06 1F37 C0E5   372

The output isn’t the greatest, the ports are in hex, but it is still very useful when you’re looking for something on the fly.

That’s it for this one.

Colby

Colby Glass has been in IT since 2002. He is currently a Systems Engineer (presales) with a Cisco Gold partner and holds the CCNP R/S, CCNP DC, CCDP, CCIP, JNCIA-ER.

More Posts