When you mention users, do you want reports with usernames gathered from Active Directory or do you just want client IP addresses. The second question I have is, do you use proxy servers. The proxy question comes into play as your monitoring will need to take place before it hits the proxies.
You may need to look at a SPAN port if you don’t have flow options on your core switch
I think I understand what you're trying to do, and I haven't been able to get it to work either. The closest thing I've found is this: use Flow Navigator to create an interface detail view for an interface near your internet edge, limit it by IP address group, and look at the "Top N Conversations" pane. This doesn't give you what you're asking for, but it is a decent view of who the bandwidth hogs are.
I understand it can be frustrating sometimes trying to find the bits you really care about among the mountain of data that netflow puts in front of you.
The specific challenge of understanding which internal user is responsible for the bulk of a circuit utilization can be particularly tough.
The answer provided by JSwan touches on the approach we use to solve this with our clients.
The first and most important step is to design and create the appropriate IP Address Groups for your network. This could be a series of end-user IP subnets, or specific ranges of IP address within a subnet. If you have mixed IP ranges that include phones, users and servers for example, this becomes harder still. The goal though is to come up with a list of valid IP addresses that only include end user workstations and turn that into an IP address group.
Doing this provides two important capabilities. The first is you can now see if you have a circuit or interface that is shared by multiple ip address groups, which group is responsible for the largest percentage of utilization. The second is you can then see, for that IP Address group, what conversations exist and what applications they are using that are generating that network load.
As you point out, explaining this in the forum can be clear as mud.
The key to this is really understanding and leveraging IP Address Groups within NTA though, so if you have not had an opportunity to look at them, I would recommend to begin there.
If you have been working with them, the next step would be to look at creating some custom views, either through flow navigator or just customizing existing views, to remove all the 'distracting' data from the page so you can focus in on just the information you care about.
I hope that helps!
Director of Technical Services
Loop1 Systems (www.loop1systems.com)
Thanks to everyone for replying. Looks like we need a combination span port and some report filtering. The proxy seems to complicate this a bit :(