Hi experts,
I am currently using Flexible Netflow to do quick analyses concerning top talkers on WAN routers.
My config looks like this:
flow record FLOW
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes
collect application name
flow monitor MON
record FLOW
cache timeout inactive 3600
cache timeout active 3600
interface Tunnel1
ip flow monitor MON input
ip flow monitor MON output
I am using the following command to display the top 50 talkers:
show flow monitor MON cache aggregate ipv4 source address ipv4 destination address ipv4 protocol transport source-port transport destination-port collect application name counter bytes sort counter bytes top 50
This output gives me the data which is currently in my local cache = the flows which are not yet exported.
I understand that
- active flows are "cut" into separate flows after the configured timer of 3600 seconds
- inactive flows are timed out after 3600 seconds as well
In both cases the flows remain in my local cache for at least 3600 seconds.
My question: What happens with flows which are terminated regularly, e.g. by capturing a TCP FIN flag. Are these flows immediately cleared from my cache? Can I somehow influence the behaviour to force the router to keep terminated flows in the cache for some time?