I got a request from a friend to describe the Netflow top talkers feature.
Netflow is a Cisco proprietary protocol that is used to see which
protocols are used in your network and how much traffic they are generating.

Netflow uses a tuple of source IP, destination IP, source port number,
destination port number and protocol number to define a session. Based on
this we can use the top talkers feature to see which IPs are generating
most traffic in our network.

To demonstrate this I have setup a really simple network with two routers
R1 and R2. They are running OSPF simply so that I can source traffic from
different loopbacks from R1. This is the routing table of R2:

So now we will activate Netflow on R2 and also configure the top talkers feature.

Here we are sorting on bytes, we could also sort on number of packets if that
is preferred. The top 5 senders will be shown.

The command show ip flow top-talkers is used to verify.

No traffic yet. Let’s start by generating traffic from 1.1.1.1.

By default 100 byte packets are sent. This means that we have 72 bytes
of payload. 20 bytes of IP and 14 bytes of Ethernet but this is not counted
in the Netflow cache.

Top_talker

So if we read the columns from left to right we have which interface the traffic
came in on. The source IP was 1.1.1.1. The destination interface was local. The
destination IP was 12.12.12.2. The protocol number is 1, this value is in hex.
Source and destination port doesn’t really mean much here because we are using ICMP.

Now we generate more traffic from another loopback.

Now we have 10 kbytes of packets. That is what the prefix k means. We can also see
the prefix M if traffic is in Megabytes.

Let’s try to generate something via TCP so that we can see the port numbers as well.
I will activate TCP small servers on R2.

As you can see lots of characters are sent over Telnet to chargen service.
What does it look like over at R2?

Protocol is 6 in hex which is also 6 in decimal. TCP has protocol number 6.
The source port is C0DC which is 49372 in decimal. Destination port is
0013 which is 19 in decimal. Let’s confirm on R2.

Everything checks out. So that was a quick explanation of how the top talkers
works. It can be useful to track down why your WAN is being overutilized. Maybe
one user is responsible for bringing the network to a halt. It’s easy to configure
and gives a quick overview of who is generating the most traffic.

Netflow – top talkers
Tagged on:                 

2 thoughts on “Netflow – top talkers

  • March 24, 2015 at 9:37 pm
    Permalink

    Bytes per _____? What does “Bytes” refer to? Is it a rate? (bytes/sec, /min, /hr?)
    or is it bytes since the session began? or since the dawn of time? or. . . ?
    When I look at “ip flow top-talkers” over and over, the numbers very rarely change. The same hosts and ports AND bytes.

    Reply
  • July 12, 2016 at 12:31 am
    Permalink

    can I apply the same in IOS XR or i have always to export results to netflow collector

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: