some time ago I’ve written a post about displaying live traffic that is going throught he router, and how it splits based on autonomous system (with some sorting capabilities built in), thanks to Flexible NetFlow. recently, Flexible NetFlow was extended to use NBAR capabilities, and with that we have new options to sort traffic by application.
with slightly modified flow record snippet, we can collect also the application name:
flow record FNF-RECORD match ipv4 source address ! we can do IPv6 here as well match ipv4 destination address collect counter bytes collect counter packets collect application name ! we collect three counters now ! including app information from NBAR
of course this flow record needs to be part of the flow monitor:
! flow monitor FNF-MONITOR record FNF-RECORD ! interface GigabitEthernet0/1 ip flow monitor FNF-MONITOR input ip flow monitor FNF-MONITOR output ! interface will collect both ingress and egress traffic ! interface GigabitEthernet0/3 ip flow monitor FNF-MONITOR input ip flow monitor FNF-MONITOR output !
thanks to such construct, we can see live applications and the traffic they generate in bytes and packets:
router# sh flow monitor FNF-MONITOR cache aggregate application name sort counter bytes ! first we sort by application and then by number of bytes Processed 342 flows Aggregated to 16 flows Showing the top 16 flows APP NAME flows bytes pkts ================================ ========== ========== ========== nbar http 6 60698006 63836 nbar bittorrent 1 58728 906 nbar icmp 8 57547 837 nbar pop3 2 51775 233 nbar dns 175 44989 299 nbar ssh 2 40216 254 nbar bgp 39 39177 634 nbar smtp 7 18724 78 nbar ipsec 2 11896 106 nbar sip 2 2728 4 nbar h323 2 2276 27 nbar ntp 10 760 10 nbar snmp 2 759 10 nbar secure-http 2 133 2