Using Netflow

General info, OUTPUT-101 2 Minutes

Ever needed to track specific flow of information or find out what ports a application is using, or verify if your QOS is working correctly? Cisco Netflow is the answer.

NetFlow is a Cisco IOS application that provides a rich set of traffic statistics on packets flowing through the router, both ingress and egress. A NetFlow network flow is defined as a unidirectional stream of packets between a given source and destination. These key fields/statistics define a unique flow:

  • Source IP address
  • Destination IP address
  • Source port number
  • Destination port number
  • Layer 3 protocol type
  • Type of service (ToS)
  • Input logical interface

If a packet has one key field different from another packet, it is considered to belong to another flow. Flows are stored in the NetFlow cache and does does consumes additional memory, but generally this is not to much of a problem. Netflow data could be exported, but here I’ll show how to use it on CLI and how to interpret it.

First you will have to enable netflow on EACH interfaces you expect to see the traffic
On IOS Prior to 12.4(2)T:
#int fa0/0
#ip route-cache flow

On IOS 12.4(2)T and later:
#int fa0/0
#ip flow ingress

Once enabled, use this command to verify that NetFlow is operational, and to display a summary of the NetFlow statistics.
#sh ip cache flow

The following omitted output will show traffic passing via interface Serial 6/1:9

cache5The fields in the output explained:

  • SrcIf –will be the Ingress or Receiving interface on this router for a particular flow.
  • SrcIPaddress – is the Source IP address of  the flow.
  • DstIf – will be the Egress or Exit interface on this router for a particular flow
  • DstIPaddress – is the Destination IP address of the flow.
  • Pr – Protocol Field : Displays the Protocol Number for the flow in HEX.    From the output:
    • 01 in hex = 1 in decimal which is ICMP,
    • 06 in hex = 6 in decimal which is TCP,
    • 11 in hex = 17 in decimal which is UDP etc.
  • SrcP & DstP – Displays the Source and Destination TCP or UDP Port Numbers in HEX.    From the output:
    • 0089 in hex = 137 in decimal which is Microsoft Netbios-NS
    • 0050 in hex = 80 in decimal which is HTTP
  • Pkts – Amount of Packets in that flow.

Knowing how to use this output could be very usual.
The following output for example shows the IP 172.16.164.246 pinging 172.20.1.54 in the bottom flow and the echo-reply in the top flow:

cache6

Advertisement

Published by Ruhann

Just another Network Engineer.

Published

Please leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.