Enabling Flow Top Talkers

Following on from my traffic analysis introduction, one of the tools listed (and in my opinion one of the most useful) is Flow Top Talkers.

This tool allows live , on the fly analysis of traffic passing through the router and is a very useful tool in trying to find out things like :

What is eating up all my bandwidth?
Is anyone using protocol (x)?
What is user/IP (n) doing right now?
Can I use service (x) currently?

Effectively what this tool does is leverage the native Netflow data caching in the routers memory with a CLI output to save all that tedious export and setting up of servers/DB's to gather the data which for must short term or low level queries is a little over the top.

It won't give you the long term data support a proper flow export can but to be honest you'd only use it for on the fly troubleshooting.


First things first, Enable CEF on your router if you haven't already (and if it's capable of it, why haven't you to be frank!).

Next, enable the caching of the flow data on whichever interface(s) you are looking to gather data from. This can be a single interface in a single direction or every interface on the device depending on the scope of your query and the traffic flow direction.

This is done as follows :

conf t
interface (x)
ip flow ingress
ip flow egress
ip route-cache flow


*** PLEASE NOTE ****
Where (x) is the interface name (i.e. fastethernet0/0)
the flow can be ingress only, egress only or both depending on your needs. ip route-cache flow is a legacy command that effectively combines flow ingress+egress and should only be used when the above are not supported.


Once the flow caching is enabled, you need to setup Flow Top Talkers. It has its own sub-menu which can be reached via.


conf t
ip flow-top-talkers

Then from the sub menu there are a number of options :


cache-timeout Configure cache timeout
default Set a command to its defaults
exit Exit from top talkers configuration mode
match Configure match criteria
no Negate a command or set its defaults
sort-by Configure top talker sort criteria
top Configure number of top talkers


In order to setup the Top Talkers correctly you will need to specify a minimum of

top (x)
match (x)
sort-by (x)

The context sensitive help is always good and for this instance but an example config would be:


TLAN-MAIN-1(config-flow-top-talkers)#top 20
TLAN-MAIN-1(config-flow-top-talkers)#match destination port 25 25
TLAN-MAIN-1(config-flow-top-talkers)#sort-by bytes
TLAN-MAIN-1(config-flow-top-talkers)#


The above config would log all SMTP traffic traversing the interfaces flow was enabled on giving you source and destination addresses and how much transferred.

It would list the top 20 conversations and stack the table by bytes transferred.

You can review the results with the exec level command :

show ip flow top-talkers

The output table puts the ports in HEX format rather the DEC (to save space i guess) so you'll have to break out the HEX to DEC converter.

Output example below (annotated for security)

ROUTER#sh ip flow top-talkers

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Gi0/1 **.**.**.** Gi0/0* **.**.**.** 01 0000 0303 646K
Gi0/1 **.**.**.** Gi0/0 **.**.**.** 01 0000 0303 646K
Gi0/1 **.**.**.** Gi0/0* **.**.**.** 06 0D3D 2130 627K
Gi0/1 **.**.**.** Gi0/0 **.**.**.** 06 0D3D 2130 627K
Gi0/1 **.**.**.** Local **.**.**.** 01 0000 0303 21K
(there is more but you get the idea)
20 of 20 top talkers shown. 21 of 42 flows matched.

ROUTER#