possibilities to view incoming UDP or TCP sessions?

m4rtin

In case of a Cisco router, what are the possibilities for viewing incoming and outgoing UDP/TCP sessions intended for interfaces in the router? "debug ip packet" should be one option. For example on Cisco 7200 platform one could use "show udp" in order to list ongoing UDP sessions if I'm not mistaken? And for TCP one can use "show tcp brief numeric". Are there any other options for determing UDP and TCP packets intended to router? For example viewing the netflow data from the router if it's configured?

Mrock4

What about enabling netflow as you mentioned? IE:


R1

int f0/0
ip flow ingress


R4

ping 155.1.146.1 repeat 500 (R1's f0/0 interface)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!
Success rate is 100 percent (500/500), round-trip min/avg/max = 1/2/4 ms
Rack1R4#

__________________________________________

Output on R1:
Rack1R1#sh ip cache flow | i 155.1.146.1 (filter it by f0/0's interface, though not necessary since I didn't enable netflow anywhere else)
Fa0/0 155.1.146.4 Local 155.1.146.1 01 0000 0800 500
Rack1R1#

The first IP listed shows the source, second is the destination. The "01" denotes IP protocol 1 (ICMP), and the next two sets of hex numbers are source/dest port numbers. Oddly enough it lists hex 0800 (204, but I really just look at the IP protocol number in the case of ICMP.

With this output you could look at both UDP/TCP based on the port numbers..is that what you're looking for? Of course this only details inbound traffic, to see return traffic you'd need "ip flow egress" on R1's f0/0 interface.

m4rtin

Mrock4,

ok, thanks! This works great. What is the sampling rate for NetFlow data if it's configured with "ip flow ingress" to an interface? I mean are all the packets processed or is there some sort of sampling rate?

In addition, I configured NetFlow for egress traffic for interface Fa0/0 with "ip flow egress" command, but for some reason it is not shown in "sh ip cache flow" output:

C1841#sh ip flow interface 
FastEthernet0/0
  ip flow egress
C1841#sh ip cache flow     
IP packet size distribution (0 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  0 active, 4096 inactive, 0 added
  0 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
  0 active, 1024 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 0 chunks added
  last clearing of statistics 00:01:07
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
C1841#ping 10.10.10.1 source 10.10.10.2 repeat 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.2 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/8 ms
C1841#sh ip cache flow                            
IP packet size distribution (0 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  0 active, 4096 inactive, 0 added
  0 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
  0 active, 1024 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 0 chunks added
  last clearing of statistics 00:01:16
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
C1841# 

Mrock4

All packets are captured with that command. I use netflow a lot when troubleshooting communications issues (ie: mail server X isn't talking to mail server Y)..it helps to see if the traffic is coming through in the first place, and if it is, if it's returning. If it's not, it helps a lot to figure out which direction it's failing in.

I know with NX-OS you can configure a sampling rate (vs. full netflow capture), but I'm not sure if there's anything in IOS which allows you to do the same.

Also, the entries will only stay in there for I believe 15 seconds (inactive flows)- so you have to be relatively quick as it relates to pinging and such. If there's a TCP session open or something, it's a lot easier to catch it on there though.

Edit: Check this out: http://www.cisco.com/en/US/docs/ios-xml/ios/netflow/configuration/12-4t/nflow-filt-samp-traff.html#GUID-DC802B44-73CE-4F08-8CC4-49FEA6347C97

It's got some stuff on netflow sampling. I haven't played with it, and would, but I'm midway through my lab session.