871W(config)#flow ?
exporter Define a Flow Exporter
monitor Define a Flow Monitor
record Define a Flow Record
I'm always curious what are the traffic my router sends and receives on the Internet. These are the current users in my home network.
871W#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.1.21 0188.c663.b59e.29 Oct 12 2013 10:58 PM Automatic
192.168.1.22 0178.ca39.e481.e3 Oct 12 2013 09:50 PM Automatic
192.168.1.23 01d8.9e3f.87a7.c5 Oct 12 2013 09:50 PM Automatic
192.168.1.24 0190.187c.69a7.d1 Oct 12 2013 09:50 PM Automatic
192.168.1.25 01e0.f847.a03b.2f Oct 12 2013 09:51 PM Automatic
192.168.1.26 016c.71d9.079e.5d Oct 12 2013 10:22 PM Automatic
192.168.1.27 01ec.55f9.01f9.0c Oct 12 2013 10:36 PM Automatic // THIS IS ME
There are many NetFlow analyzers out there, but for this scenario I used a free tool from Solarwinds called the Real-time NetFlow Traffic Analyzer (NTA). This is what the application looks like and the commands used to enable NetFlow:
871W(config)#ip flow?
flow-aggregation flow-cache flow-capture flow-egress
flow-export flow-top-talkers
871W(config)#ip flow-export ?
destination Specify the Destination IP address
interface-names Export interface names
source Specify the interface for source address
template Specify the template specific configurations
version Specify the version number
871W(config)#ip flow-export destination ?
Hostname or A.B.C.D Destination IP address
871W(config)#ip flow-export destination 192.168.1.27 ?
<1-65535> UDP/SCTP port number
871W(config)#ip flow-export destination 192.168.1.27 2055 // DEFAULT UDP PORT
871W(config)#ip flow-export version ?
1
5
9
871W(config)#ip flow-export version 5
871W(config)#ip flow-export source ?
Async Async interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
Dot11Radio Dot11 interface
FastEthernet FastEthernet IEEE 802.3
Lex Lex interface
Loopback Loopback interface
Multilink Multilink-group interface
Null Null interface
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Dot11Radio Virtual dot11 interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
Vlan Vlan IEEE 802.1q
vmi Virtual Multipoint Interface
871W(config)#ip flow-export source bvi1
871W(config)#ip flow-cache ?
entries Specify the number of entries in the flow cache
timeout Specify flow cache timeout parameters
871W(config)#ip flow-cache timeout ?
active Specify the active flow timeout
inactive Specify the inactive flow timeout
871W(config)#ip flow-cache timeout active ?
<1-60> Timeout in minutes
871W(config)#ip flow-cache timeout active 5
871W(config)#interface bvi1 // LAN INTERFACE
871W(config-if)#ip route-cache flow
871W(config-if)#interface fastethernet4 // WAN INTERFACE
871W(config-if)#ip route-cache flow
871W(config-if)#exit
871W#show run | include flow
ip route-cache flow
ip route-cache flow
ip flow-cache timeout active 5
ip flow-export source BVI1
ip flow-export version 5
ip flow-export destination 192.168.1.27 2055
871W#show ip flow ?
export Display export statistics
interface Display flow configuration on Interfaces
top-talkers Display top talkers
871W#show ip flow export
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 192.168.1.1 (BVI1)
Destination(1) 192.168.1.27 (2055)
Version 5 flow records
4185 flows exported in 179 udp datagrams
0 flows failed due to lack of export packet
143 export packets were sent up to process level
0 export packets were dropped due to no fib
16 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
871W#show ip cache flow
IP packet size distribution (214853 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .061 .005 .002 .001 .001 .000 .000 .000 .000 .000 .000 .000 .000 .001
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .005 .913 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
93 active, 4003 inactive, 4827 added
70986 ager polls, 0 flow alloc failures
Active flows timeout in 5 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25800 bytes
93 active, 931 inactive, 4430 added, 4430 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 4 0.0 55 41 0.0 16.3 15.2
TCP-WWW 2802 0.5 72 1422 37.2 3.7 8.4
TCP-other 1043 0.1 9 643 1.8 2.2 9.2
UDP-DNS 161 0.0 1 65 0.0 0.0 15.4
UDP-NTP 20 0.0 1 76 0.0 0.0 15.1
UDP-other 695 0.1 1 136 0.1 0.1 15.4
ICMP 9 0.0 1 58 0.0 4.2 15.4
Total: 4734 0.8 45 1379 39.2 2.7 9.9
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
BV1 192.168.1.24 Fa4 63.168.61.65 06 C5F8 01BB 1
BV1 192.168.1.24 Fa4 74.125.235.55 06 DCD9 01BB 4
BV1 192.168.1.27 Fa4 173.252.102.241 06 05F9 01BB 1
Fa4 74.125.235.50 BV1 59.189.105.75 06 01BB 8FB7 8
Fa4 173.194.38.156 BV1 59.189.105.75 06 0050 CEAD 1
BV1 192.168.1.24 Fa4 31.186.225.24 06 C2F2 0050 2
BV1 192.168.1.24 Fa4 31.186.225.24 06 C2F1 0050 2
BV1 192.168.1.24 Fa4 31.186.225.24 06 C2F9 0050 2
BV1 192.168.1.24 Fa4 173.245.2.213 06 BD3C 0050 1
BV1 192.168.1.24 Fa4 54.230.150.226 06 885E 0050 1
Fa4 74.125.235.55 BV1 59.189.105.75 06 01BB DCD9 2
Fa4 91.190.216.61 BV1 59.189.105.75 06 303E D367 1
BV1 192.168.1.24 Fa4 96.7.54.91 06 9F19 0050 1
BV1 192.168.1.24 Fa4 96.7.54.91 06 9F16 0050 1
BV1 192.168.1.24 Fa4 74.125.235.50 06 8FB7 01BB 5
Fa4 72.246.189.33 BV1 59.189.105.75 06 0050 DE4D 1
BV1 192.168.1.27 Fa4 172.16.1.254 06 0ED8 0050 2
Fa4 173.245.2.213 BV1 59.189.105.75 06 0050 BD3C 1
BV1 192.168.1.24 Fa4 199.38.166.155 06 8981 0050 1
Fa4 72.246.188.97 BV1 59.189.105.75 06 0050 D1ED 1
BV1 192.168.1.24 Fa4 184.73.189.70 06 DEBE 0050 1
BV1 192.168.1.24 Fa4 54.241.220.8 06 A300 0050 2
BV1 192.168.1.24 Fa4 72.246.188.89 06 8ACC 0050 1
BV1 192.168.1.24 Fa4 195.8.215.136 06 8D6B 0050 3
BV1 192.168.1.24 Fa4 195.8.215.136 06 8D6C 0050 2
BV1 192.168.1.25 Fa4 91.190.216.61 06 D367 303E 2
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
BV1 192.168.1.24 Fa4 173.194.38.143 06 A7D7 0050 1
BV1 192.168.1.24 Fa4 173.194.38.143 06 A7D6 0050 1
BV1 192.168.1.27 Local 192.168.1.1 06 0444 0017 37
BV1 192.168.1.24 Fa4 199.38.166.156 06 DF2A 0050 1
BV1 192.168.1.25 Null 8.8.8.8 11 E1E8 0035 1
Fa4 199.38.166.156 BV1 59.189.105.75 06 0050 DF2A 1
BV1 192.168.1.24 Fa4 72.246.188.98 06 CB3A 0050 1
BV1 192.168.1.24 Fa4 72.246.188.211 06 B83E 0050 1
Fa4 173.194.38.141 BV1 59.189.105.75 06 0050 A995 1
BV1 192.168.1.24 Fa4 8.39.37.21 06 A258 0050 2
BV1 192.168.1.24 Fa4 8.39.37.21 06 A272 0050 2
BV1 192.168.1.24 Fa4 8.39.37.21 06 A273 0050 2
BV1 192.168.1.24 Fa4 8.39.37.21 06 A271 0050 2
BV1 192.168.1.24 Fa4 8.39.37.21 06 A274 0050 2
Fa4 173.194.38.143 BV1 59.189.105.75 06 0050 A7D7 1
Fa4 173.194.38.143 BV1 59.189.105.75 06 0050 A7D6 1
Fa4 72.246.188.89 BV1 59.189.105.75 06 0050 8ACC 1
BV1 192.168.1.24 Fa4 192.33.31.101 06 8B5B 01BB 2
Fa4 8.8.8.8 Local 59.189.105.75 11 0035 EF47 1
Fa4 173.252.102.241 BV1 59.189.105.75 06 01BB 05F9 2
Fa4 195.8.215.136 BV1 59.189.105.75 06 0050 8D6A 3
Fa4 195.8.215.136 BV1 59.189.105.75 06 0050 8D6B 2
Fa4 195.8.215.136 BV1 59.189.105.75 06 0050 8D6C 1
Fa4 204.11.109.160 BV1 59.189.105.75 06 0050 C659 1
Fa4 72.246.188.98 BV1 59.189.105.75 06 0050 CB3A 1
BV1 192.168.1.24 Fa4 74.125.139.120 06 8435 0050 1
Fa4 54.241.220.8 BV1 59.189.105.75 06 0050 A300 1
BV1 192.168.1.24 Fa4 50.97.214.162 06 B716 0050 1
Fa4 184.73.189.70 BV1 59.189.105.75 06 0050 DEBE 1
Fa4 72.246.188.211 BV1 59.189.105.75 06 0050 B83E 1
Fa4 31.186.225.24 BV1 59.189.105.75 06 0050 C2F9 1
Fa4 31.186.225.24 BV1 59.189.105.75 06 0050 C2F1 1
Fa4 31.186.225.24 BV1 59.189.105.75 06 0050 C2F2 1
Fa4 204.11.109.63 BV1 59.189.105.75 06 0050 A5DA 1
Fa4 72.5.64.63 BV1 59.189.105.75 06 0050 94BF 1
BV1 192.168.1.24 Fa4 173.194.38.141 06 A995 0050 1
BV1 192.168.1.25 Fa4 23.58.242.217 06 D374 01BB 7
BV1 192.168.1.24 Fa4 72.246.189.25 06 86FE 0050 1
Fa4 74.125.139.120 BV1 59.189.105.75 06 0050 8435 1
BV1 192.168.1.24 Fa4 31.13.68.8 06 DB30 0050 3
BV1 192.168.1.25 Null 8.8.8.8 11 EF47 0035 1
Fa4 63.168.61.65 BV1 59.189.105.75 06 01BB C5F8 1
Fa4 72.246.189.25 BV1 59.189.105.75 06 0050 86FE 1
BV1 192.168.1.24 Fa4 66.117.25.36 06 A0B6 0050 2
BV1 192.168.1.24 Fa4 38.108.107.27 06 CD4A 0050 3
BV1 192.168.1.24 Fa4 38.108.107.27 06 CD49 0050 3
BV1 192.168.1.24 Fa4 31.13.68.16 06 CC94 0050 1
BV1 192.168.1.24 Fa4 31.13.68.16 06 CC91 0050 1
BV1 192.168.1.24 Fa4 31.13.68.16 06 CC8C 0050 1
Fa4 10.143.96.1 Null 255.255.255.255 11 0043 0044 2
BV1 192.168.1.24 Fa4 31.13.68.16 06 CC8A 0050 1
BV1 192.168.1.24 Fa4 31.13.68.16 06 CC85 0050 1
BV1 192.168.1.24 Fa4 31.13.68.16 06 CC87 0050 1
Fa4 23.58.225.224 BV1 59.189.105.75 06 0050 ED24 1
Fa4 31.13.68.8 BV1 59.189.105.75 06 0050 DB30 3
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
BV1 192.168.1.24 Fa4 204.236.131.45 06 9F55 0050 3
BV1 192.168.1.24 Fa4 204.11.109.63 06 A5DA 0050 1
BV1 192.168.1.27 Local 192.168.1.1 11 EB78 00A1 165
Fa4 96.7.54.91 BV1 59.189.105.75 06 0050 9F16 1
Fa4 96.7.54.91 BV1 59.189.105.75 06 0050 9F19 1
BV1 192.168.1.24 Fa4 173.194.38.156 06 CEAD 0050 1
BV1 192.168.1.24 Fa4 96.7.54.88 06 9005 0050 3
BV1 192.168.1.24 Fa4 96.7.54.88 06 9004 0050 3
BV1 192.168.1.24 Fa4 204.11.109.160 06 C659 0050 1
Fa4 23.58.242.217 BV1 59.189.105.75 06 01BB D374 7
Fa4 38.108.107.27 BV1 59.189.105.75 06 0050 CD49 3
Fa4 38.108.107.27 BV1 59.189.105.75 06 0050 CD4A 3
BV1 192.168.1.24 Fa4 72.5.64.63 06 94BF 0050 1
BV1 192.168.1.24 Fa4 72.246.188.97 06 D1ED 0050 1
Fa4 72.246.188.216 BV1 59.189.105.75 06 0050 DDB9 1
Fa4 72.246.188.216 BV1 59.189.105.75 06 0050 DDD3 1
Fa4 72.246.188.216 BV1 59.189.105.75 06 0050 DDD2 1
Fa4 204.236.131.45 BV1 59.189.105.75 06 0050 9F55 1
871W#show ip flow top-talkers
% Top talkers not configured
871W#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
871W(config)#ip flow?
flow-aggregation flow-cache flow-capture flow-egress
flow-export flow-top-talkers
871W(config)#ip flow-top-talkers
871W(config-flow-top-talkers)#?
Netflow top talker configuration commands:
cache-timeout Configure cache timeout
default Set a command to its defaults
exit Exit from top talkers configuration mode
match Configure match criteria
no Negate a command or set its defaults
sort-by Configure top talker sort criteria
top Configure number of top talkers
871W(config-flow-top-talkers)#top ?
<1-200> Number of top talkers
871W(config-flow-top-talkers)#top 10
871W(config-flow-top-talkers)#sort-by ?
bytes Sort top talkers by bytes
packets Sort top talkers by packets
871W(config-flow-top-talkers)#sort-by bytes
871W(config-flow-top-talkers)#end
871W#show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Fa4 165.254.58.10 BV1 59.189.105.75 06 01BB A28D 134K
Fa4 23.61.194.64 BV1 59.189.105.75 06 01BB 8958 120K
Fa4 165.254.58.25 BV1 59.189.105.75 06 01BB E472 120K
Fa4 72.246.188.251 BV1 59.189.105.75 06 01BB DDA7 106K
Fa4 23.59.188.139 BV1 59.189.105.75 06 01BB BCDA 53K
Fa4 23.59.189.147 BV1 59.189.105.75 06 01BB CFEF 48K
BV1 192.168.1.27 Local 192.168.1.1 11 EB78 00A1 21K
Fa4 63.168.61.65 BV1 59.189.105.75 06 01BB D5F4 16K
BV1 192.168.1.25 Fa4 64.4.23.145 06 D388 9C62 12K
Fa4 17.173.66.179 BV1 59.189.105.75 06 01BB D38A 11K
10 of 10 top talkers shown. 71 flows processed.
The source port (SrcP) and destination port (DstP) on the top talker's list are displayed in hexadecimal values. We just convert it to decimal using this cool web tool:
It's good to know that most websites nowadays are doing encryption (HTTPS/TCP port 443). Looks like Facebook and Google are on the top visited domains. There's also a Braille protocol listed and someone must've tried to perform a denial of service (DOS) attack on my home network (holy crap!). It seems like there's a lot of crazy stuff going on over the Internet.
No comments:
Post a Comment