Subject: Re: [Flow-tools] Strange Router Export Issue
From: Mark Fullmer (maf@splintered.net)
Date: Sun May 22 2005 - 22:11:00 CDT
> Starting a couple of days ago, the 7206 started sending HUGE numbers
> (10x normal) of flows to my flow-collector. I’ve dug into the raw flow
> files and I just don’t see anything strange. All three routers carry
> about the same traffic load according to bandwidth, but the flows are
> out of the ball park for the 7206. It’s almost like the router is
> counting traffic multiple times, but the config didn’t change when
> this started.
If it's a single IP source or destination you can find it by
aggregating on the IP address then sorting by flows.
# top 10 src IP sorted by flows
% flow-cat <data> | flow-report -vSORT=+flows -vTYPE=ip-source-address
-vRPTOPT=-m10
# top 10 dest IP sorted by flows
% flow-cat <data> | flow-report -vSORT=+flows
-vTYPE=ip-destination-address -vRPTOPT=-m10
The above examples will work with the 0.68 distribution. Prior to that
you'll need a config file for flow-report. Something like:
stat-report default
type ip-source-address
output
format ascii
sort +flows
stat-definition default
report default
or just use flow-stat which I'd like to kill off now since flow-report
can do so much more.
--
mark
--
Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body
Unsubscribe mailto:majordomo@net.doit.wisc.edu and say
"unsubscribe flowscan" in message body
Archive http://net.doit.wisc.edu/~plonka/list/flowscan/archive/
This archive was generated by hypermail 2b25 : Sun May 22 2005 - 22:15:39 CDT