3 Replies Latest reply on Feb 3, 2010 5:10 AM by tdvojmoc

    Display flows based on destination port

    tdvojmoc

      My enterprise backup application, which runs every night, always connects to the same port (TCP 1500) on the backup server. Source port is different on every run. I don't see this application's flow correctly in NTA 3.5 SP2. I can recognize it based on the time interval, amount of transferred data and the peers. NTA displays only source port (different every night) and "random high port" for the destination port. The IOS command show ip cache flow, executed when the application is running, displays the flow information correctly (marked red below), e. g.:

      show ip cache flow

        IP packet size distribution (148624873 total packets):

           1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

           .001 .253 .018 .008 .003 .003 .002 .002 .004 .002 .001 .002 .001 .000 .000

            512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

           .001 .003 .000 .004 .682 .000 .000 .000 .000 .000 .000

       

        IP Flow Switching Cache, 278544 bytes

          143 active, 3953 inactive, 1832565 added

          34704629 ager polls, 0 flow alloc failures

          Active flows timeout in 30 minutes

          Inactive flows timeout in 15 seconds

       

        IP Sub Flow Cache, 21640 bytes

          143 active, 881 inactive, 1832502 added, 1832502 added to flow

          0 alloc failures, 720 force free

          1 chunk, 14 chunks added

          last clearing of statistics 2d10h

       

        Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

        --------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

        TCP-Telnet        5195      0.0         4   164      0.1       4.5      14.9

        TCP-FTP           3000      0.0        12    62      0.1       1.0       3.0

        TCP-WWW          84959      0.4        24   520     10.0       4.7       7.1

        TCP-SMTP           255      0.0       779  1050      0.9       5.0       1.5

        TCP-other       776072      3.6       175  1064    647.3       4.4       8.3

        UDP-DNS          44971      0.2         1    72      0.2       0.0      15.4

        UDP-NTP          42972      0.2        10    76      2.2       9.7      15.4

        UDP-TFTP             3      0.0         1   101      0.0       0.0      15.5

        UDP-Frag             2      0.0         4    24      0.0      17.7      15.1

        UDP-other       800476      3.8        10    78     41.1       5.3      15.4

        ICMP             74633      0.3         1    63      0.4       0.2      15.4

        IP-other            63      0.0         4   820      0.0       0.5      15.5

        Total:         1832601      8.7        80   994    702.6       4.6      12.0

       

        SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

        Vl1           10.32.0.40      Tu13201*      10.0.192.18     06 07FC 05DC   398K

        Vl1           10.32.0.40      Tu13201       10.0.192.18     06 07FC 05DC   398K

        Vl1           10.32.0.160     Tu13201       10.0.96.101     11 0403 007B   217

        Vl1           10.32.0.160     Tu13201*      10.0.96.101     11 0403 007B   217

        Vl1           10.32.1.66      Tu13201*      172.16.10.30    06 0B7D 0051   112

        Vl1           10.32.1.66      Tu13201       172.16.10.30    06 0B7D 0051   112

        Tu13201       10.0.192.18     Vl1           10.32.0.40      06 05DC 07FC   184K

      Network topology is MPLS VPN with GRE tunneling. Netflow device is Cisco router 3800. All interfaces are managed by NPM, although not necessary for performance and faults and are configured to export ingress and egress traffic.

      How to display (aggregate) flows based on destination port in NTA?

      Thanks.