Cisco Netflow Script Interpretation

Hello Experts,
 
I have been evaluating a script that allows you to see top talkers in realtime.
 
For an explanation of the script please see attached.
 
I'm having a problem interpreting the output. For example, the following appears five times with different AvgBits/s
 
 
SRCIP           DSTIP           APPLICATION   PROT   DIRN Start  AvgBit/s AvgPkt/s
===================================================================================
194.75.202.233  80.229.108.65   0/0           ESP    IN   07:28    111K     40
 
Would the correct interpretation be, 'at 07:28am, the AvgBits/s was 111K?
 
If so I ran the script again and a few hours later and I got the following:
 
SRCIP           DSTIP           APPLICATION   PROT   DIRN Start  AvgBit/s AvgPkt/s
===================================================================================
194.75.202.233  80.229.108.65   0/0           ESP    IN   07:28   2.69M    296
 
You will notice that the time is the same, however the AvgBits/s is now 2.69M. I don't understand how the time remains the same, even though I ran the script match later and the Mb is 2.69M??
 
 
I have also attached a sample showing the following addresses:
 
10.50.96.30     10.45.156.82    445-microsoft.
 
In the above sample, can someone explain why AvgBit/s was 1.95M, and later it was 239K?
 
 
Cheers
 
Carlton
README.txt
EXAMPLE.txt
top.txt
cpatte7372Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soulja53 6F 75 6C 6A 61 Commented:
Would the correct interpretation be, 'at 07:28am, the AvgBits/s was 111K?

I think would be better to say that the connection started at 7:28. The average bits increased as data is transmitted in that connection. That is why it's 2.69M later.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cpatte7372Author Commented:
soulja,

Thanks for responding,

So to clarify.
 
If I ran the script and I saw the following flow
 
SRCIP           DSTIP           APPLICATION   PROT   DIRN Start  AvgBit/s AvgPkt/s
===================================================================================
194.75.202.233  80.229.108.65   0/0           ESP    IN   09:03    432K    100
 
And then I ran the script 15mins later and I saw the following flow:
 
SRCIP           DSTIP           APPLICATION   PROT   DIRN Start  AvgBit/s AvgPkt/s
===================================================================================
194.75.202.233  80.229.108.65   0/0           ESP    IN   09:13    432K    100
 
Does that mean that between 09:03 and 09:12:59 the flow stopped and started again at 09:13?
 
Cheers
 
Carlton
0
Soulja53 6F 75 6C 6A 61 Commented:
Yes, that should mean that is when Netflow started to see that flow again.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

cpatte7372Author Commented:
Soulja

Thanks again for responding.

I have just one more question (I think :-) related to this issue.

I ran the script again at 13:17. From the output shown in the attached would it correct to say that all the flows shown, apart from:

194.75.202.233  80.229.108.65   0/0           ESP    IN   09:03  
 80.229.108.65   194.75.202.233  0/0           ESP    OUT  09:03

Started at 13:17, and there weren't any flows that have been running before 13:17?

Cheers
flows.txt
0
cpatte7372Author Commented:
Thanks again for getting back to me.
 
I wonder if you could shed some light on the following:
 
I ran the following command twice
 
show flow monitor FlowMonitor1 cache sort highest counter packets
 
In the first instance I got the following:
 
 
10.50.131.34     10.45.69.224              3009            161  Tu0                        17  Gi0/1.10              Input             107           1  15:51:32.580
 
In the second instance
 
10.50.131.34     10.45.69.224              3009            161  Tu0                        17  Gi0/1.10              Input             107           1  15:52:02.864
 
(please see attachment for better clarification)
 
Can you explain what is meant by 'time first'? If it means the time the first flow was recorded was 15:51:32.580 what does 15:52:02.864 time represent?
 
Thanks mate
flowsv2.txt
0
cpatte7372Author Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for cpatte7372's comment #a39486587

for the following reason:

Cheers
0
cpatte7372Author Commented:
Cheers
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.