I got a request from a friend to describe the Netflow top talkers feature.
Netflow is a Cisco proprietary protocol that is used to see which
protocols are used in your network and how much traffic they are generating.

Netflow uses a tuple of source IP, destination IP, source port number,
destination port number and protocol number to define a session. Based on
this we can use the top talkers feature to see which IPs are generating
most traffic in our network.

To demonstrate this I have setup a really simple network with two routers
R1 and R2. They are running OSPF simply so that I can source traffic from
different loopbacks from R1. This is the routing table of R2:

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/11] via 12.12.12.1, 00:11:41, FastEthernet0/0
     111.0.0.0/32 is subnetted, 1 subnets
O       111.111.111.111 [110/11] via 12.12.12.1, 00:11:01, FastEthernet0/0
     11.0.0.0/32 is subnetted, 1 subnets
O       11.11.11.11 [110/11] via 12.12.12.1, 00:11:11, FastEthernet0/0

So now we will activate Netflow on R2 and also configure the top talkers feature.

R2(config)#int f0/0
R2(config-if)#ip flow ingress
R2(config-if)#ip flow egress
R2(config-if)#exit
R2(config)#ip flow-top-talkers
R2(config-flow-top-talkers)#sort-by bytes
R2(config-flow-top-talkers)#top 5

Here we are sorting on bytes, we could also sort on number of packets if that
is preferred. The top 5 senders will be shown.

The command show ip flow top-talkers is used to verify.

R2#show ip flow top-talkers 
% Cache is empty

No traffic yet. Let’s start by generating traffic from 1.1.1.1.

R1#ping 12.12.12.2 re 10 so lo0

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 12.12.12.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!!!!!!

By default 100 byte packets are sent. This means that we have 72 bytes
of payload. 20 bytes of IP and 14 bytes of Ethernet but this is not counted
in the Netflow cache.

Top_talker

R2#show ip flow top-talkers 

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Fa0/0         1.1.1.1         Local         12.12.12.2      01 0000 0800  1000 
1 of 5 top talkers shown. 1 flows processed.

So if we read the columns from left to right we have which interface the traffic
came in on. The source IP was 1.1.1.1. The destination interface was local. The
destination IP was 12.12.12.2. The protocol number is 1, this value is in hex.
Source and destination port doesn’t really mean much here because we are using ICMP.

Now we generate more traffic from another loopback.

R1#ping 12.12.12.2 re 100 so lo1

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 12.12.12.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 8/22/48 ms
R2#show ip flow top-talkers 

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Fa0/0         11.11.11.11     Local         12.12.12.2      01 0000 0800    10K
1 of 5 top talkers shown. 1 flows processed.

Now we have 10 kbytes of packets. That is what the prefix k means. We can also see
the prefix M if traffic is in Megabytes.

R2#show ip flow top-talkers 

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Fa0/0         111.111.111.111 Local         12.12.12.2      01 0000 0800    10M
1 of 5 top talkers shown. 1 flows processed.

Let’s try to generate something via TCP so that we can see the port numbers as well.
I will activate TCP small servers on R2.

R2(config)#service tcp-small-servers
R1#telnet 12.12.12.2 chargen
Trying 12.12.12.2, 19 ... Open
 !"#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefg
!"#$%&'()*+,-./0123456789:;?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefgh

As you can see lots of characters are sent over Telnet to chargen service.
What does it look like over at R2?

R2#show ip flow top-talkers 

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Fa0/0         12.12.12.1      Local         12.12.12.2      06 C0DC 0013  1244

Protocol is 6 in hex which is also 6 in decimal. TCP has protocol number 6.
The source port is C0DC which is 49372 in decimal. Destination port is
0013 which is 19 in decimal. Let’s confirm on R2.

R2#sh tcp brief
TCB       Local Address               Foreign Address             (state)
66081C28  12.12.12.2.19               12.12.12.1.49372            ESTAB

Everything checks out. So that was a quick explanation of how the top talkers
works. It can be useful to track down why your WAN is being overutilized. Maybe
one user is responsible for bringing the network to a halt. It’s easy to configure
and gives a quick overview of who is generating the most traffic.

Netflow – top talkers
Tagged on:                 

2 thoughts on “Netflow – top talkers

  • March 24, 2015 at 9:37 pm
    Permalink

    Bytes per _____? What does “Bytes” refer to? Is it a rate? (bytes/sec, /min, /hr?)
    or is it bytes since the session began? or since the dawn of time? or. . . ?
    When I look at “ip flow top-talkers” over and over, the numbers very rarely change. The same hosts and ports AND bytes.

    Reply
  • July 12, 2016 at 12:31 am
    Permalink

    can I apply the same in IOS XR or i have always to export results to netflow collector

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *