Starting a couple of days ago, the 7206 started sending HUGE numbers
(10x normal) of flows to my flow-collector. I’ve dug into the raw flow
files and I just don’t see anything strange. All three routers carry
about the same traffic load according to bandwidth, but the flows are
out of the ball park for the 7206. It’s almost like the router is
counting traffic multiple times, but the config didn’t change when
this started.
If it's a single IP source or destination you can find it by
aggregating on the IP address then sorting by flows.
# top 10 src IP sorted by flows
% flow-cat <data> | flow-report -vSORT=+flows -vTYPE=ip-source-address
-vRPTOPT=-m10
# top 10 dest IP sorted by flows
% flow-cat <data> | flow-report -vSORT=+flows
-vTYPE=ip-destination-address -vRPTOPT=-m10
The above examples will work with the 0.68 distribution. Prior to that
you'll need a config file for flow-report. Something like:
stat-report default
type ip-source-address
output
format ascii
sort +flows
stat-definition default
report default
or just use flow-stat which I'd like to kill off now since flow-report
can do so much more.
--
mark
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
