some time ago i’ve written a post about displaying live traffic that is going throught the router. also, i covered how it can be split based on autonomous system (with some sorting capabilities built in), thanks to Flexible NetFlow. recently, Flexible NetFlow was extended to use NBAR capabilities, and with that we have new options to sort traffic by application.
with slightly modified flow record snippet, we can collect also the application name:
flow record FNF-RECORD
match ipv4 source address ! we can do IPv6 here as well
match ipv4 destination address
collect counter bytes
collect counter packets
collect application name ! we collect three counters now
! including app information from NBAR
of course this flow record needs to be part of the flow monitor:
!
flow monitor FNF-MONITOR
record FNF-RECORD
!
interface GigabitEthernet0/1
ip flow monitor FNF-MONITOR input
ip flow monitor FNF-MONITOR output
! interface will collect both ingress and egress traffic
!
interface GigabitEthernet0/3
ip flow monitor FNF-MONITOR input
ip flow monitor FNF-MONITOR output
!
thanks to such construct, we can see live traffic classified by application:
router# sh flow monitor FNF-MONITOR cache aggregate application name sort counter bytes
! first we sort by application and then by number of bytes
Processed 342 flows
Aggregated to 16 flows
Showing the top 16 flows
APP NAME flows bytes pkts
================================ ========== ========== ==========
nbar http 6 60698006 63836
nbar bittorrent 1 58728 906
nbar icmp 8 57547 837
nbar pop3 2 51775 233
nbar dns 175 44989 299
nbar ssh 2 40216 254
nbar bgp 39 39177 634
nbar smtp 7 18724 78
nbar ipsec 2 11896 106
nbar sip 2 2728 4
nbar h323 2 2276 27
nbar ntp 10 760 10
nbar snmp 2 759 10
nbar secure-http 2 133 2