Sunday, March 18, 2007

Cisco's show ip cache flow

Just discovered this command. Its a powerful command where u can see the statistics of all TCP, UDP, ICMP etc packets flowing in and out of the switch or router. I am going to use this command more for forensics and detecting any DoS or exploit attempts.

#show ip cache flow
IP packet size distribution (4401773 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.003 .818 .060 .031 .006 .015 .000 .005 .000 .000 .005 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .020 .003 .023 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
13 active, 65523 inactive, 164081 added
2848812 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 336520 bytes
0 active, 16384 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 407 0.0 90 52 0.0 87.4 12.6
TCP-FTP 55 0.0 4 66 0.0 4.3 16.2
TCP-FTPD 22 0.0 19673 41 0.1 1397.2 7.4
TCP-WWW 3035 0.0 122 58 0.1 5.9 11.8
TCP-SMTP 6 0.0 1 44 0.0 0.0 15.3
TCP-X 6 0.0 1 44 0.0 0.0 15.5
TCP-BGP 6 0.0 1 44 0.0 0.0 15.9
TCP-NNTP 6 0.0 1 44 0.0 0.0 15.3
TCP-Frag 2 0.0 1 20 0.0 0.0 15.7
TCP-other 36728 0.0 85 84 1.0 4.4 6.8
UDP-DNS 708 0.0 1 67 0.0 0.7 15.4
UDP-NTP 44960 0.0 1 75 0.0 0.0 15.5
UDP-TFTP 5 0.0 1 28 0.0 0.0 15.6
UDP-Frag 1 0.0 1 20 0.0 0.0 15.7
UDP-other 45541 0.0 6 446 0.0 0.7 15.4
ICMP 27856 0.0 2 56 0.0 11.3 15.5
IGMP 18 0.0 2 20 0.0 0.7 15.4
IPINIP 17 0.0 2 20 0.0 1.1 15.4
IPv6INIP 18 0.0 2 20 0.0 1.7 15.5
GRE 20 0.0 1 20 0.0 0.2 15.4
IP-other 4653 0.0 1 20 0.0 0.5 15.5
Total: 164070 0.0 26 100 1.4 3.4 13.4

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/0 192.168.208.63 Null 192.168.131.10 A2 0000 0000 8
Gi0/0 192.168.208.63 Null 192.168.131.10 E8 0000 0000 5
Gi0/0 192.168.208.63 Gi0/0 10.82.209.27 06 0016 0EAD 29
Gi0/0 192.168.208.63 Gi0/0 10.82.209.27 06 0016 0EAC 99
Gi0/0 192.168.208.63 Null 192.168.131.10 4D 0000 0000 8
Gi0/0 192.168.208.63 Null 192.168.131.10 51 0000 0000 6
Gi0/0 192.168.208.63 Null 192.168.131.10 59 0000 0000 7
Gi0/0 192.168.208.63 Null 192.168.131.10 65 0000 0000 6

See the SrcP and DstP field, they are port numbers but in HEX form. You would have to convert them to numbers.

11 comments:

Anonymous said...

Can anyone recommend the well-priced Patch Management program for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central help desk software
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

washington court hotel dc said...

VERY pretty. I care for such information much. I was looking for this certain information for a long time. Anyway, thanks for sharing.

Anonymous said...

Do you have a spam problem on this website; I also am a blogger, and I was wondering
about your situation; many of us have developed some nice methods and we are looking to swap solutions with others, why not shoot me an e-mail if you're interested.

Also visit my web-site: How to Golf

Anonymous said...

Really decent blog post on Blogger: Taking Network Security to the
Streets...
Carry on posting..

Also visit my web site :: Toenail Fungus

Anonymous said...

Great!
Credit for your insights on the article Blogger: Taking Network Security to
the Streets.
They are actually really handy... I really enjoyed checking your article.
.

Feel free to surf to my page: pro-vehicleapp.com

Anonymous said...

Wow that was odd. I just wrote an incredibly long
comment but after I clicked submit my comment didn't appear. Sucks! Anyhow, just wanted to say excellent blog!
My wife and I often write guest posts for other website owners to help gain exposure to our work, as well as provide superb content to blog owners. It really is a win win situation! If you're interested
feel free to e-mail me so we can discuss this further. Kudos!


Also visit my webpage :: Desktop Gadgets

Anonymous said...

Greetings!
I really like your opinions. Good piece of work on the
design features on your site..
Cheers

Visit my web-site: Shooting Games

Anonymous said...

Does your blog have a contact page? I'm having trouble locating it but, I'd like to send you an email.

I've got some suggestions for your blog you might be interested in hearing. Either way, great website and I look forward to seeing it improve over time.

Feel free to surf to my site :: How to Golf App
My website: How to Golf App

Anonymous said...

Howdy,
Are you using Twitter? I'd like to follow you but couldn't find the link!


Also visit my webpage :: vehicle app
My page > vehicle app

Anonymous said...

Wow.
Well done for your information on the content
Blogger: Taking Network Security to the Streets.


They could be extremely effective... I enjoyed reading your write-up.


My blog - Beginners Golf Putting

Anonymous said...

With having so much content do you ever run into any issues of plagiarism or copyright infringement?
My website has a lot of unique content I've either authored myself or outsourced but it appears a lot of it is popping it up all over the web without my agreement. Do you know any methods to help reduce content from being stolen? I'd
truly appreciate it.

Also visit my website iPad Golf