Netflow top talkers query
Hi Folks,
I was trying to use the top talkers feature to find the culprits hogging my bandwidth. I am pertty new top talker feature and its implemented on a 6500 with sup720. I have a couple of queries w.r.t this.
* tried to configure the cort by bytes feature got a warning that its not supported on the hardware based model.So is there any way to use sort by bytes on the sup 720?
* The O/P fileds of a show ip flow top-talkers are usually,
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts( had to use sort by packets due to warning)
Now is this pkts field the number of packets calculated between the cache-timeout value or is it the total seen so far? Will it be the same for sort by bytes too? Total bytes seen for this flow rather than a realtime bytes/sec or bytes/cache time-out value.
If this is the case then its actually not a real time top talker value right? Please help
Thanks,
Prakadeesh
The --command -- sh ip cache flow shows the cache-timeout value only not the collective bytes of data ; if you need the Total bytes seen for this flow you need to use the Crannog netflow Tracker kind of tools or you need to use " ip accounting " and clear the counter manually as and when required !!!
And it its actually a real time top talker value for that specifed cache-timeout value and i found most of the time it shows the correct top-talker many times !!!!!!!!!!!!!!!!!!!
Similar Messages
-
Netflow top-talkers configuration
Hello
I would like to know the purpose of these configuration commands :
ip flow-top-talkers
top 50
sort-by packets
cache-timeout 2000
match source address 192.1.1.97/32
match destination address 192.1.1.110/32
This is extracted from a documentation from Cisco.
For me there is no sense to configure a top talkers : how do we know that this will be the top talkers ?
Thanks for help
RegardsTop talkers are based on the conversations or flows generating the heaviest traffic on your routing device. A flow refers to traffic from source A to source B through any interface of the router and "heaviest traffic" means volume of traffic generated. They can be sorted based on any one of the following criteria:
1. By the total number of packets in each top talker
2. By the total number of bytes in each top talker
There are further filter options, which can done using "match statements".
For eg, if you simply enable top talkers for 50 and set the sort feature based on packets, the 50 conversations who were sending the most traffic (volume - KB, MB, GB) will be taken and displayed. The displayed conversations will be sorted based on the packet counts in the flow.
If you add an match IP source statement to the above example, then the same as above is done but only flows whose source IP is the same as in the match statement is captured.
If you add a match source and destination IP, then only the top 50 flows between those 2 IP Addresses will be captured and displayed.
Regards,
Don Thomas Jacob
www.netflowanalyzer.com
NOTE: Please rate posts and close questions if you have got the answer. -
Cisco2821 - ip flow top talkers = cache is empty
Hi Everyone,
I've been fighting an issue with a 2821 router for some time now. I'm trying to pull the top talkers from an interface, however the cache is empty. I verified the configuration with a known working 2821 and the output for the interfaces are the same. Any help would be greatly appreciated!
NON-WORKING:::
interface GigabitEthernet0/0
description P2P Comcast NLAN to ENET
ip address 10.103.2.6 255.255.255.0
ip flow ingress
ip flow egress
duplex full
speed 100
interface GigabitEthernet0/1
description connect to JDR_3560_2
ip address 10.200.12.1 255.255.255.0
duplex auto
speed auto
interface Serial0/1/0
no ip address
shutdown
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
no ip http server
no ip http secure-server
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 10.100.1.58 2055
ip flow-top-talkers
top 25
sort-by bytes
logging 10.100.1.17
logging 10.100.1.119
WORKING CONFIG:
interface GigabitEthernet0/0
description Comcast MetroEthernet CID: 54.VLXP.006454.CPLC
ip address 10.103.2.5 255.255.255.0
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip igmp query-interval 125
duplex full
speed 100
service-policy output WAN-EDGE
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 10.100.6.111 2055
ip flow-export destination 10.100.1.58 2055
ip flow-top-talkers
top 30
sort-by bytes
ip mroute 0.0.0.0 0.0.0.0 10.103.2.240
logging 10.100.1.17
logging 10.100.1.40
logging 10.100.1.119Hi,
I'm not a Netflow expert by let's try; config seems to be correct, could you post the output of
sh ip flow export
sh ip flow top-talker
sh ver
enrico -
Does WCCP skew results of 'ip flow top-talkers'?
I have a router that has been configured to show ip flow top-talker information. I recently added a WAAS to this site that is using WCCP redirection. The 'top-talkers' output on the router still works - but shows source/destination of the router and WAAS device as the talkers for all traffic that has been redirected. I'm not able to see that actual client IPs for that traffic .. and that is the majority of my traffic. Is there any way to still be able to view this traffic as I did before? If I dump netflow to an actual netflow server instead of using top-talkers will that work - or will it display the same thing?
Router configuration:
interface multilink1
ip flow ingress
interface gi0/0
ip flow ingress
ip flow-top-talkers
top 25
sort-by bytes
Now when I do a 'show ip flow top-talkers', here's what I see: 10.10.11.18 is WAAS and 10.10.255.11 is loopback of the router.
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Gi0/0.1 10.10.11.18 Mu1 10.10.255.11 2F 0000 0000 141M
Gi0/0.1 10.10.11.18 Mu1 10.10.255.11 2F 0000 0000 12M
Gi0/0.1 10.10.11.124 Gi0/0.1 10.10.10.53 06 1058 0A26 1801K
Gi0/0.1 10.10.11.54 Gi0/0.1 10.10.10.5 06 0E0C 0A26 882K
Gi0/0.1 10.10.11.107 Gi0/0.1 10.10.10.50 06 043D 05D6 736K
Gi0/0.1 10.10.11.60 Gi0/0.1 10.10.10.5 06 0409 0A26 723K
Gi0/0.1 10.10.11.103 Gi0/0.1 10.10.10.5 06 0407 0A26 713K
Gi0/0.1 10.10.11.120 Gi0/0.1 10.10.10.14 06 0456 05D6 531K
Gi0/0.1 10.10.11.237 Gi0/0.1 10.10.10.27 06 238C 110E 527K
Gi0/0.1 10.10.11.62 Gi0/0.1 10.10.10.53 06 C00E 05D6 463K
Gi0/0.1 10.10.11.125 Gi0/0.1 10.10.10.30 06 12A1 1F90 355K
Gi0/0.1 10.10.11.115 Gi0/0.1 10.10.10.14 06 042C 05D6 336K
Gi0/0.1 10.10.11.137 Gi0/0.1 10.10.10.6 06 04AC 0D3D 244K
Gi0/0.1 10.10.11.154 Gi0/0.1 10.10.10.53 06 0A0D 0A26 216K
Gi0/0.1 10.10.11.66 Gi0/0.1 10.10.10.6 06 C018 05D6 195K
Gi0/0.1 10.10.11.91 Gi0/0.1 10.10.10.5 06 0439 05D6 145K
Gi0/0.1 10.10.11.58 Gi0/0.1 10.10.10.14 06 0458 05D6 134K
Gi0/0.1 10.10.11.127 Gi0/0.1 10.10.10.30 06 0618 1F90 115K
Gi0/0.1 10.10.11.18 Local 10.10.255.11 11 0800 0800 96K
Gi0/0.1 10.10.11.147 Gi0/0.1 10.10.10.14 06 118F 0A26 88K
Gi0/0.1 10.10.11.95 Gi0/0.1 10.10.10.14 06 0C35 0D3D 84K
Gi0/0.1 10.10.11.105 Gi0/0.1 10.10.10.27 06 C98F 01BD 70K
Gi0/0.1 10.10.11.117 Gi0/0.1 10.10.10.53 06 CB1A 0D3D 41K
Gi0/0.1 10.10.11.65 Gi0/0.1 10.10.10.14 06 0EF9 05D6 40K
Gi0/0.1 10.10.11.112 Gi0/0.1 10.10.10.21 06 08D5 0D3D 37K
Thanks!I believe the problem is caused because I have the WAAS appliance in the same subnet as users. I am using the 'egress-method negotiated-return intercept-method wccp' on the WAAS to send the traffic back to the router. This uses GRE, which is causing the cache flow data to show up the way it is.
I will have to move the WAAS to a different subnet and change the return method. -
How to get Top Talkers on ASA ?
hi Friends,
We ahave ASA 5510 and 5520 @ our office. We are not using any netflow tools in order to get the talk talklers.
As this firewalls are shared firewall (used by different Projects), we are not able to get , which project is using more traffic and which is less.
Can someone help me out in this ?
Regards
Nirav BhattI know this is an old thread, but I'm hoping this will come in handy for anyone doing a search.
All our 5505's and 5510's are on ASA 8.2(5) and didn't get some of the nicer "top 10" features that come with later versions. I always assumed it was due to the ASA version, but I built an ASA recently on 8.2(5) which has ASDM 7.1(2) on it and the pie charts for top talkers is there now.
I'm in the process of updating all our devices to ASDM 7.1(2) and it's given us a lot more visibility of the network. -
So I stumbled upon the ip flow-top-talkers feature and attempted to configure it on a 3560-X running 12.2(58)SE2. It allowed me to configure this:
ip flow-top-talkers
top 5
sort-by bytes
cache-timeout 60000
Then on the interface I am interested in:
interface GigabitEthernet0/21
ip flow ingress
Which results is (drum roll please....)
Switch#show ip flow top
% Cache is empty
No joy. So I checked the config guide for unsupported commands, these are not listed.
Then I thought maybe it had to be on a layer 3 interface (g0/21 is layer 2) so I did "ip flow ingress" on an SVI, same results.
So then I checked feature navigatore for "Flexible Netflow - Top N Talkers Support". 12.2SE is not listed, but 15.0(2)SE is.
Questions:
- Is the existence of the commands in 12.2(58)SE just an oversight? Functionality seems to almost be there, just not quite.
- Does neflow need to be enabled on a layer 3 interface or will it work on layer 2 (assuming platform support of course)
Thanks,
-JeffDoes your switch have a network services module installed?
Note Flexible NetFlow is supported only on the Catalyst 3750-X and 3560-X switch running the IP base or IP services feature set and equipped with the network services module. It is not supported on switches running the NPE or the LAN base image. -
Cannot config "ip flow-top-talkers" on 7606-S
We have a router 7606-S is running IOS 12.2 (33r) SRD2 and Internet BGP protocol.
I tried to enable Flow Top Talkers on it to check Top 10 flow talkers.
1.configure interface:
Router(config-if)#ip flow ingress
2.configure
Router(config)#ip flow-top-talkers
but it shows:
Router((config)#ip flow-top-talkers
^
% Invalid input detected at '^' marker.
Router(config)#ip flow-?
flow-aggregation flow-cache flow-capture flow-egress flow-export
I then tried command
Router#show ip flow top-talkers
% Top talkers not configured
Can anyone advice if anything I miss please?
Thanks in advance.Does your switch have a network services module installed?
Note Flexible NetFlow is supported only on the Catalyst 3750-X and 3560-X switch running the IP base or IP services feature set and equipped with the network services module. It is not supported on switches running the NPE or the LAN base image. -
Top N query giving error for oracle 8.0.6
Dear All,
We are executing this query SELECT XBLNR, WERKS, MATNR, MDV01, BACKFLQUANT, STATUS, SAPTIMESTAMP, PITSTIMESTAMP, PMTIMESTAMP, BATCH FROM (SELECT XBLNR, WERKS, MATNR, MDV01, BACKFLQUANT, STATUS, SAPTIMESTAMP, PITSTIMESTAMP, PMTIMESTAMP, BATCH FROM PMBPITS.PITS_UNITY WHERE STATUS = '01' ORDER BY PMTIMESTAMP) WHERE ROWNUM < 20
on oracle 8.0.6 but this is giving the following error
ora - 00907 missing right parenthesis error
1. Is it that in the inner select we cannot use order by and where clause together.
2. We also found that if we remove order by from inner select then the query is not giving error
pls help . points will be awardedHi,
what ever the Aman said is correct. You check this is supported in 8.1.5, SQL allows you to embed the ORDER BY clause in a subquery and place the ROWNUM condition in the top-level query;
'Top-N query' is a ORACLE 8i feature which is supported in SQL. However,
Bug:855720 states the following:
"PL/SQL does not support top-N queries (ORDER BY in SUBSELECT/SUBQUERY
or VIEW. Since this feature is available in SQL, but not in PL/SQL,
it has been logged as a Bug that will be fixed in 8.1.6."
- Pavan Kumar N -
Top N query with INLIST Iterator performance problem
I have a top N query that is giving me problems on Oracle 11.2.0.3.
First of all, I have a query like the following (simplified from the real query, but produces the same problem):
select /*+ gather_plan_statistics */ * from
select rowid
from payer_subscription ps
where ps.subscription_status = :i_subscription_status
and ps.merchant_id = :merchant_id2
order by transaction_date desc
) where rownum <= :i_rowcount; This query works well. It can very efficiently find me the top 10 rows for a massive data set, using an index on merchant_id, subscription_status, transaction_date.
| Id | Operation | Name | Starts | E-Rows | A-Rows | A-Time | Buffers |
| 0 | SELECT STATEMENT | | 1 | | 10 |00:00:00.01 | 4 |
|* 1 | COUNT STOPKEY | | 1 | | 10 |00:00:00.01 | 4 |
| 2 | VIEW | | 1 | 11 | 10 |00:00:00.01 | 4 |
|* 3 | INDEX RANGE SCAN DESCENDING| SODTEST2_IX | 1 | 100 | 10 |00:00:00.01 | 4 |
-------------------------------------------------------------------------------------------------------As you can see the estimated actual rows at each stage are 10, which is correct.
Now, I have a requirement to get the top N records for a set of merchant_Ids, so if I change the query to include two merchant_ids, the performance tanks:
select /*+ gather_plan_statistics */ * from
select rowid
from payer_subscription ps
where ps.subscription_status = :i_subscription_status
and (ps.merchant_id = :merchant_id or
ps.merchant_id = :merchant_id2 )
order by transaction_date desc
) where rownum <= :i_rowcount;
| Id | Operation | Name | Starts | E-Rows | A-Rows | A-Time | Buffers | OMem | 1Mem | Used-Mem |
| 0 | SELECT STATEMENT | | 1 | | 10 |00:00:00.17 | 178 | | | |
|* 1 | COUNT STOPKEY | | 1 | | 10 |00:00:00.17 | 178 | | | |
| 2 | VIEW | | 1 | 200 | 10 |00:00:00.17 | 178 | | | |
|* 3 | SORT ORDER BY STOPKEY| | 1 | 200 | 10 |00:00:00.17 | 178 | 2048 | 2048 | 2048 (0)|
| 4 | INLIST ITERATOR | | 1 | | 42385 |00:00:00.10 | 178 | | | |
|* 5 | INDEX RANGE SCAN | SODTEST2_IX | 2 | 200 | 42385 |00:00:00.06 | 178 | | | |Notice now that there are 42K rows coming out of the two index range scans - Oracle is no longer aborting the index range scan when it reaches 10 rows. What I thought would happen, is that Oracle would get at most 10 rows for each merchant_id, knowing that at most 10 rows are to be returned by the query. Then it would sort that 10 + 10 rows and output the top 10 based on the transaction date, but it refuses to do that.
Does anyone know how I can get the performance of the first query, when I need to pass a list of merchants into the query? I could probably get the performance using a union all, but the list of merchants is variable, and could be anywhere between 1 or 2 to several 100, so that makes that a bit unworkable.Across the two merchants_id's there are about 42K rows (this is in test, on Prod there could be several million). In the first query example, Oracle can answer the query in about 4 logical IOs and without even doing a sort as it uses the index to scan and get the relevant rows in Oracle.
In the second case, I hoped it would pull 10 rows for each merchant_id and then sort the resulting 20 rows to find the top 10 ordered by transaction_date, but instead it is scanning far more rows than it needs to.
In my example, it takes 4 logical IOs to answer the first query, but ~ 170 to answer the second, while I think it is achievable in 8 or so. For example, this query does what I want, but it is not a feasible option due to how many merchant_id's I may have to deal with:
select /*+ gather_plan_statistics */ *
from
select *
from
select * from
select merchant_id, transaction_date
from payer_subscription ps
where ps.subscription_status = :i_subscription_status
and ps.merchant_id = :merchant_id
order by transaction_date desc
) where rownum <= :i_rowcount
union all
select * from
select merchant_id, transaction_date
from payer_subscription ps
where ps.subscription_status = :i_subscription_status
and ps.merchant_id = :merchant_id2
order by transaction_date desc
) where rownum <= :i_rowcount
) order by transaction_date desc
) where rownum <= :i_rowcount;
| Id | Operation | Name | Starts | E-Rows | A-Rows | A-Time | Buffers | OMem | 1Mem | Used-Mem |
| 0 | SELECT STATEMENT | | 1 | | 10 |00:00:00.01 | 6 | | | |
|* 1 | COUNT STOPKEY | | 1 | | 10 |00:00:00.01 | 6 | | | |
| 2 | VIEW | | 1 | 20 | 10 |00:00:00.01 | 6 | | | |
|* 3 | SORT ORDER BY STOPKEY | | 1 | 20 | 10 |00:00:00.01 | 6 | 2048 | 2048 | 2048 (0)|
| 4 | VIEW | | 1 | 20 | 20 |00:00:00.01 | 6 | | | |
| 5 | UNION-ALL | | 1 | | 20 |00:00:00.01 | 6 | | | |
|* 6 | COUNT STOPKEY | | 1 | | 10 |00:00:00.01 | 3 | | | |
| 7 | VIEW | | 1 | 100 | 10 |00:00:00.01 | 3 | | | |
|* 8 | INDEX RANGE SCAN DESCENDING| SODTEST2_IX | 1 | 100 | 10 |00:00:00.01 | 3 | | | |
|* 9 | COUNT STOPKEY | | 1 | | 10 |00:00:00.01 | 3 | | | |
| 10 | VIEW | | 1 | 11 | 10 |00:00:00.01 | 3 | | | |
|* 11 | INDEX RANGE SCAN DESCENDING| SODTEST2_IX | 1 | 100 | 10 |00:00:00.01 | 3 | | | |
---------------------------------------------------------------------------------------------------------------------------------------This UNION ALL query completes in 6 logical IOs - the original query I posted with 2 IDs takes 178 to return the same results. -
Can we hide filter in Search Master agreements standard top level query?
Hi Experts,
I have a requirement to hide flter in standard Search Master Agreements top level query. See below screen shot
I have an idea how to delete filter in query but when i have added that query to top level navigation i don't have any idea.
So i want to hide Business Unit & Region filter in Search Master Agreement query when it is in top level navigation.
If anyone have idea please share with me how to hide.
Thanks,
LavaHi Lava,
It is not a filter but this a Standard field which is coming from the Master Agreement.
So, you cannot hide or even delete any field.
But if it is a custom field you can hide it by inactivating the respective field in Extension Defination.
Please let me know if you need any assistance.
Thanks,
Raj. -
Top utilising Query in SQL server
Hi,
Is there any query to get the top utilization query of the day?Hi,
Top CPU utilizing query
--This might take some time to give result on busy systemselect top 10
sum(qs.total_worker_time) as total_cpu_time,
sum(qs.execution_count) as total_execution_count,
count(*) as number_of_statements,
t.text
from
sys.dm_exec_query_stats qs
cross apply sys.dm_exec_sql_text(qs.sql_handle) as t
group by t.text
order by sum(qs.total_worker_time) desc
For memory utilization there is no perfect way to find out if query has completed. but
sys.dm_exec_query_memory_grants would help you
SELECT mg.granted_memory_kb, mg.session_id, t.text, qp.query_plan
FROM sys.dm_exec_query_memory_grants AS mg
CROSS APPLY sys.dm_exec_sql_text(mg.sql_handle) AS t
CROSS APPLY sys.dm_exec_query_plan(mg.plan_handle) AS qp
ORDER BY 1 DESC OPTION (MAXDOP 1)
Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it.
My TechNet Wiki Articles -
what happened to this command in the new IOS 15.1(1) with flexflow;
sh ip flow top-talkers...
Thanks,
SinanHi Maicon,
Under "ip flow-top-talkers", you need to configure "sort-by" as it's required to run top-talkers command.
Yoong Seong -
"show ip flow top-talkers" output question
Hello all,
I have a question about the "show ip flow top-talkers" command. The top enry for this 1841 router with a T1 connection is always this line:
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Se0/1/0 64.32.253.138 Local 71.16.240.14 32 6EB0 306B 2366K
How do I get more information about this connection? I looked at ip protocol 32 and it says it is the MERIT Internodal Protocol. Also what does the bytes field mean? Is that bytes per second or per "flow"?Hello,
protocol is 0x32 (in hex) = 50 (dec). This protocol is ESP. I assume, this flow is an IPSEC tunnel.
The endpoint is your device (regarding to dest interface = local). The "Bytes" field means number of
bytes in the flow. It is not releated to bytes/sec. Please, feel free to contact me if you need more
information.
Kind regards,
Jan Nejman
Caligare, co.
http://www.caligare.com/ -
Hi,
I want to show top 3 salary records from emp table and I am using below query in oracle * plus. However I am getting an error saying, "FROM keyword not found where expected". I am not getting what mistake I am doing while writing this query. Can someone plz advice?
Query:
Select top 3 sal from emp;
Thanks in advance.Hi,
In Oracle, there is no TOP keyword. The usual way to do a top-N query in Oracle is to use an analytic function, such as RANK:
WITH got_r_num AS
SELECT sal
, ename, empno, ... -- whatever columns you want
, RANK () OVER (ORDER BY sal DESC) AS r_num
FROM scott.emp
SELECT sal
, ename, empno, ... -- if wanted
, r_num -- if wanted
FROM got_r_num
WHERE r_num <= 3
ORDER BY sal
;Depending on how you want to handle ties, ypu may want to add tie-breaking columns to the end of the analytic ORDER BY clause, and/or use ROW_NUMBER instead of RANK. -
How to find top utilized query for last two months in oem
how to find top utilized query for last two months in oracle enterprise manager?
Can you mark the thread as Helpful and once marked the information can be reviewed by other customer for similar queries
Regards
Krishnan
Maybe you are looking for
-
Placeing douments in to enterprise portal
hi, i have one requirement. i have documents in my desktop. i want to display all the documents in enterprise portal. i created folder,while uploading i am getting this message You can upload a file to the repository from your computer. Click "Show P
-
Cannot re-install or uninstall itunes
had a hard drive problem, new one installed, everything working except itunes. my library is intact, but itunes won't open. get error message "Problem with Shortcut - This action is only valid for products that are currently installed". This is after
-
Anyone Seen this Message Before "Configuration changes for domain saved to the repository."
I'm running into this situation where one of my WLS servers is generating the following messages "Configuration changes for domain saved to the repository." This process of saving to a repository is causing an issue on start-up. Typically my deployme
-
DVD Camcorder, anyone sucessfully able to import into to IDVD, I
purchased the Panasonic VDR D220 and while an excellent camera in everything a camera should do it would not let me drag and drop to IDVD. Panasonic tech told me I needed "video arranger" but she had no idea where it was or even if it was a download.
-
How do i get the daily manager to stop printing
apparently when i set up my new printer i accidentally requested the "daily manager" to print. But i don't want this to print. how do I stop it.