Useful commands to see what traffic is going through router. - Page 2

whiteford · ‎10-06-2007

We have a VPN from a cisco 877 to a Concentrator. I notice every day the CPU and bandwidth on the 877 is high at 8am-10am, can I see what PC or type of traffic is doing this on the 877?

whiteford · ‎10-08-2007

I couldnt see an option to do that, ill have a look tomorrow as I dont have the website in front of me.

whiteford · ‎10-08-2007

Bingo, I just added the router (which was already there in Device Group Management) and I see stats, however I have a few questions.

The NBAR MIB support says unknown, and for some reason I have 2 interfaces, Ifindex16 (Out traffic) and Ifindex5 (In traffic).

How do I see a table of who is doing what? like the command "show ip cache flow"?

paitken · ‎11-27-2007

Andy,

You see two interfaces because traffic is flowing from the Ethernet interface to the Dialer interface.

You see this in the "sh ip cache flow" output:

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Et0 172.19.10.17 Di1 192.168.101.1 06 05B5 0401 2

- ie, traffic is flowing from 172.19.10.17 on Eth0 to 192.168.101.1 on Dialer1.

The "sh ip cache flow" output also answers your "who is doing what" question, since it shows the protocol and src/dst ports.

eg, looking at the output you posted before, it's all Protocol 6 (TCP) and much of it is to port 0A26 (ie, 2598 decimal) - so it's probably citrix traffic with session reliability enabled.

Going back to your original issue: to discover what's causing high bandwith, configure netflow and use the "sh ip flow top ..." command to see what's going on.

insccisco · ‎11-27-2007

Can I use this to capture traffic flow from an ASA?