IP Flow Monitor
- IP Flows is data a network device exports on the Flows flowing through it, it does not contain the actual data, just a summary of the data flowing.
Cisco Flow setup
- Enable flows with
ip flow-export destination 10.10.240.31 3121
- SRC Ip to use for export records
ip flow-export source Loopback0
- ip flow-cache timeout active 1
ip route-cache flow
- display and filter example. grep out IP's we dont want to see, match udp $4==17, and then filter out port 123 ntp.
flow-cat ft-v05.2016-07* | flow-print | grep -v "10.100\|10.10.240\|10.67.0.8\|196.214.71.234\|10.100.81" |\ awk -F, 'BEGIN {FS=" "} { if ( ( $1 ~ /10.90/ || $2 ~ /10.90/ ) && $3 == "17" && $4 != "123") print $0 }'
...