Hi everyone, I've run a netflow realtime report of the top 10 conversations happening on a particular interface. The result is strange. Of the top 10 conversations, I'm seeing only 3 combinations of source IP, source port, destination IP and destination port. I'll try to post the report below: Conversation Source IP Address Source Hostname Source Port Destination IP Address Destination Hostname Destination Port Protocol Total Traffic Total Packets Traffic Percentage 1 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 52.92 Mb 35601 15% 2 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 47.87 Mb 32205 13% 3 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 46.36 Mb 31190 13% 4 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 40.39 Mb 27169 11% 5 100.85.25.11 Microsoft-DS (445) 100.85.1.20 SwiftNet (1751) TCP 30.02 Mb 20205 8% 6 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 29.64 Mb 19960 8% 7 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 28.30 Mb 19035 8% 8 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 26.83 Mb 18070 8% 9 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 26.62 Mb 17906 7% 10 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 26.58 Mb 17882 7% Based on this, I felt that conversations 1-4 should be one conversation with the total traffic and packets added up. It would then account for a higher % of the traffic. Conversation 5 as it's listed in the report, should be a seperate conversation because the destination port is different. conversations 6-10 should be added together because it is the same communication. Those last 4 together would be the new conversation #2 because conversation 5(as listed above) would be less megabyles than conversations 6-10 added together. Is my netflow calculating wrong or am I not getting something? Thanks, Paul

This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Top 10 conversations are almost identical

paullaf over 16 years ago

Hi everyone,

I've run a netflow realtime report of the top 10 conversations happening on a particular interface. The result is strange. Of the top 10 conversations, I'm seeing only 3 combinations of source IP, source port, destination IP and destination port. I'll try to post the report below:

Conversation	Source IP Address	Source Port	Destination IP Address	Destination Port	Protocol	Total Traffic	Total Packets	Traffic Percentage
1	100.85.8.11	Microsoft-DS (445)	100.85.1.20	cft-0 (1761)	TCP	52.92 Mb	35601	15%
2	100.85.8.11	Microsoft-DS (445)	100.85.1.20	cft-0 (1761)	TCP	47.87 Mb	32205	13%
3	100.85.8.11	Microsoft-DS (445)	100.85.1.20	cft-0 (1761)	TCP	46.36 Mb	31190	13%
4	100.85.8.11	Microsoft-DS (445)	100.85.1.20	cft-0 (1761)	TCP	40.39 Mb	27169	11%
5	100.85.25.11	Microsoft-DS (445)	100.85.1.20	SwiftNet (1751)	TCP	30.02 Mb	20205	8%
6	100.85.8.11	Microsoft-DS (445)	100.85.1.20	cft-0 (1761)	TCP	29.64 Mb	19960	8%
7	100.85.8.11	Microsoft-DS (445)	100.85.1.20	cft-0 (1761)	TCP	28.30 Mb	19035	8%
8	100.85.8.11	Microsoft-DS (445)	100.85.1.20	cft-0 (1761)	TCP	26.83 Mb	18070	8%
9	100.85.8.11	Microsoft-DS (445)	100.85.1.20	cft-0 (1761)	TCP	26.62 Mb	17906	7%
10	100.85.8.11	Microsoft-DS (445)	100.85.1.20	cft-0 (1761)	TCP	26.58 Mb	17882	7%

Based on this, I felt that conversations 1-4 should be one conversation with the total traffic and packets added up. It would then account for a higher % of the traffic. Conversation 5 as it's listed in the report, should be a seperate conversation because the destination port is different. conversations 6-10 should be added together because it is the same communication. Those last 4 together would be the new conversation #2 because conversation 5(as listed above) would be less megabyles than conversations 6-10 added together.

Is my netflow calculating wrong or am I not getting something?

Thanks,

Paul