Skip to main content

Top Talkers

Ever had slow WAN links and wanted to see exactly who was using up the bandwidth. What you need is the Top Talkers feature.



You will first need to turn on NetFlow against the interface in question like so...



interface serial 0/0

ip flow egress

ip flow ingress



Then we enable the top talkers feature



ip flow-top-talkers

top 20

sort-by bytes

cache-timeout 3600000



The top command defines how many flows you want in the list in this case we will display the top 20 flows. The sort-by command determines how the flows are ordered. The choices are either bytes or packets. Generally bytes is more useful as it shows the weightier flows as top. You can also sort by packets this can help show a server which is perhaps sending a lot of smaller packets. The last command is cache-timeout this specifies the length of time the list of top talkers remains before being recalculated. The shorter the period the more system resources it uses.



Once you have this configured you can view the top talker list by issuing show ip flow top-talkers

Router#sh ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Fa0/0 192.168.23.228 Se0/0 10.8.14.253 06 A2FD 0017 1852
Fa0/0 10.12.47.234 Null 224.0.0.10 58 0000 0000 660
Fa0/0 10.12.47.241 Local 10.12.47.233 06 00B3 75A2 238
Fa0/0 192.168.23.228 Se0/0 10.8.14.253 2E 0000 0000 224
Fa0/0 192.168.23.228 Se0/0 10.8.14.253 01 0000 0800 84
5 of 100 top talkers shown. 5 flows processed.


You can tell what protocol and port the flows are by converting these Hex Values into decimal. The Pr column gives you the IP protocol number (17 is UDP 6 is TCP) In our example above we can see an EIGRP session IP protocol 88 (Hex 58)

The SrcP and DstP columns are the port value in Hex. The first flow for instance shows source port of 41,725 and a destination port of 23. The IP protocol is 6 (TCP) so this must be a telnet session.


Comments

Post a Comment

Popular posts from this blog

Moving the SSH port on a CISCO router

If you admin your routers over the internet you probably know you should be using SSH. Telnet being sent in clear text is easily sniffed and your passwords captured. However Cisco routers use the standard TCP port 22 for their SSH service. As soon as you open this up to the world and turn on SSH access logging you will start to see hundreds of IP's connecting to your device and running dictionary attacks against you using standard username and password combinations. The majority of these IP's seem to originate from China or Russia and they find your open port extremely quickly. This is very anoying it fills up your log files with these attacks and uses up your system resources dealing with them. I believe they are simply running scans for any open TCP port 22. For this reason I decided I could cut down the amount of attacks by moving the SSH port to a different number. One thing you should know before we start is that there is no way to actually change the SSH port number o...
Post a Comment
Read more

Error Message %DUAL-6-NBRINFO: EIGRP-IPv4 34256

If you see the error  %DUAL-6-NBRINFO: EIGRP-IPv4 xxxx  is blocked: not on common subnet then it simply means that there are EIGRP devices sending multicast hellos on an interface which have a different IP Range configured to the receiving router.  160617: .Feb 22 15:11:05.194 GMT: %DUAL-6-NBRINFO: EIGRP-IPv4 34256: Neighbor 17 2.31.253.1 (Vlan43) is blocked: not on common subnet                                                     (172.31.252.1/31) 160618: .Feb 22 15:11:12.770 GMT: %DUAL-6-NBRINFO: EIGRP-IPv4 34256: Neighbor 19 2.168.205.0 (Vlan44) is blocked: not on common subnet (192.168.204.1/31)                                                                       ...
Post a Comment
Read more

Installing PVDM into Cisco 2811

In order to install a PVDM into the Cisco 2800 series simply follow the steps below. Firstly power down the router and remove the case by undoing the case screws. At the back of the router near the power supply you will notice the memory (DIMM Slots) and behind them the PVDM slots (which are white). If you look closely on the mother board you will notice that one is labeled PVDM0 and the other PVDM1. If you are only installing one PVDM then you will need to install it in the PVDM0 slot. The PVDM has a little notch cut out of it which means it will only fit into the slot one way.  Locate the PVDM into the slot at a slight angle and then tip pull it upright until the clips click into place and hold it in position. Put the case back onto the router and switch it on.  Once booted do a show inventory and you should now see the PVDM listed.
Post a Comment
Read more