cpatte7372
asked on
Cisco Netflow Script Interpretation
Hello Experts,
I have been evaluating a script that allows you to see top talkers in realtime.
For an explanation of the script please see attached.
I'm having a problem interpreting the output. For example, the following appears five times with different AvgBits/s
SRCIP DSTIP APPLICATION PROT DIRN Start AvgBit/s AvgPkt/s
========================== ========== ========== ========== ========== ========== =======
194.75.202.233 80.229.108.65 0/0 ESP IN 07:28 111K 40
Would the correct interpretation be, 'at 07:28am, the AvgBits/s was 111K?
If so I ran the script again and a few hours later and I got the following:
SRCIP DSTIP APPLICATION PROT DIRN Start AvgBit/s AvgPkt/s
========================== ========== ========== ========== ========== ========== =======
194.75.202.233 80.229.108.65 0/0 ESP IN 07:28 2.69M 296
You will notice that the time is the same, however the AvgBits/s is now 2.69M. I don't understand how the time remains the same, even though I ran the script match later and the Mb is 2.69M??
I have also attached a sample showing the following addresses:
10.50.96.30 10.45.156.82 445-microsoft.
In the above sample, can someone explain why AvgBit/s was 1.95M, and later it was 239K?
Cheers
Carlton
README.txt
EXAMPLE.txt
top.txt
I have been evaluating a script that allows you to see top talkers in realtime.
For an explanation of the script please see attached.
I'm having a problem interpreting the output. For example, the following appears five times with different AvgBits/s
SRCIP DSTIP APPLICATION PROT DIRN Start AvgBit/s AvgPkt/s
==========================
194.75.202.233 80.229.108.65 0/0 ESP IN 07:28 111K 40
Would the correct interpretation be, 'at 07:28am, the AvgBits/s was 111K?
If so I ran the script again and a few hours later and I got the following:
SRCIP DSTIP APPLICATION PROT DIRN Start AvgBit/s AvgPkt/s
==========================
194.75.202.233 80.229.108.65 0/0 ESP IN 07:28 2.69M 296
You will notice that the time is the same, however the AvgBits/s is now 2.69M. I don't understand how the time remains the same, even though I ran the script match later and the Mb is 2.69M??
I have also attached a sample showing the following addresses:
10.50.96.30 10.45.156.82 445-microsoft.
In the above sample, can someone explain why AvgBit/s was 1.95M, and later it was 239K?
Cheers
Carlton
README.txt
EXAMPLE.txt
top.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, that should mean that is when Netflow started to see that flow again.
ASKER
Soulja
Thanks again for responding.
I have just one more question (I think :-) related to this issue.
I ran the script again at 13:17. From the output shown in the attached would it correct to say that all the flows shown, apart from:
194.75.202.233 80.229.108.65 0/0 ESP IN 09:03
80.229.108.65 194.75.202.233 0/0 ESP OUT 09:03
Started at 13:17, and there weren't any flows that have been running before 13:17?
Cheers
flows.txt
Thanks again for responding.
I have just one more question (I think :-) related to this issue.
I ran the script again at 13:17. From the output shown in the attached would it correct to say that all the flows shown, apart from:
194.75.202.233 80.229.108.65 0/0 ESP IN 09:03
80.229.108.65 194.75.202.233 0/0 ESP OUT 09:03
Started at 13:17, and there weren't any flows that have been running before 13:17?
Cheers
flows.txt
ASKER
Thanks again for getting back to me.
I wonder if you could shed some light on the following:
I ran the following command twice
show flow monitor FlowMonitor1 cache sort highest counter packets
In the first instance I got the following:
10.50.131.34 10.45.69.224 3009 161 Tu0 17 Gi0/1.10 Input 107 1 15:51:32.580
In the second instance
10.50.131.34 10.45.69.224 3009 161 Tu0 17 Gi0/1.10 Input 107 1 15:52:02.864
(please see attachment for better clarification)
Can you explain what is meant by 'time first'? If it means the time the first flow was recorded was 15:51:32.580 what does 15:52:02.864 time represent?
Thanks mate
flowsv2.txt
I wonder if you could shed some light on the following:
I ran the following command twice
show flow monitor FlowMonitor1 cache sort highest counter packets
In the first instance I got the following:
10.50.131.34 10.45.69.224 3009 161 Tu0 17 Gi0/1.10 Input 107 1 15:51:32.580
In the second instance
10.50.131.34 10.45.69.224 3009 161 Tu0 17 Gi0/1.10 Input 107 1 15:52:02.864
(please see attachment for better clarification)
Can you explain what is meant by 'time first'? If it means the time the first flow was recorded was 15:51:32.580 what does 15:52:02.864 time represent?
Thanks mate
flowsv2.txt
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for cpatte7372's comment #a39486587
for the following reason:
Cheers
Accepted answer: 0 points for cpatte7372's comment #a39486587
for the following reason:
Cheers
ASKER
Cheers
ASKER
Thanks for responding,
So to clarify.
If I ran the script and I saw the following flow
SRCIP DSTIP APPLICATION PROT DIRN Start AvgBit/s AvgPkt/s
==========================
194.75.202.233 80.229.108.65 0/0 ESP IN 09:03 432K 100
And then I ran the script 15mins later and I saw the following flow:
SRCIP DSTIP APPLICATION PROT DIRN Start AvgBit/s AvgPkt/s
==========================
194.75.202.233 80.229.108.65 0/0 ESP IN 09:13 432K 100
Does that mean that between 09:03 and 09:12:59 the flow stopped and started again at 09:13?
Cheers
Carlton