Minggu, 18 Maret 2007

Cisco's show ip cache flow

08.30    No comments

Just discovered this command. Its a powerful command where u can see the statistics of all TCP, UDP, ICMP etc packets flowing in and out of the switch or router. I am going to use this command more for forensics and detecting any DoS or exploit attempts.

#show ip cache flow
IP packet size distribution (4401773 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.003 .818 .060 .031 .006 .015 .000 .005 .000 .000 .005 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .020 .003 .023 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
13 active, 65523 inactive, 164081 added
2848812 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 336520 bytes
0 active, 16384 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 407 0.0 90 52 0.0 87.4 12.6
TCP-FTP 55 0.0 4 66 0.0 4.3 16.2
TCP-FTPD 22 0.0 19673 41 0.1 1397.2 7.4
TCP-WWW 3035 0.0 122 58 0.1 5.9 11.8
TCP-SMTP 6 0.0 1 44 0.0 0.0 15.3
TCP-X 6 0.0 1 44 0.0 0.0 15.5
TCP-BGP 6 0.0 1 44 0.0 0.0 15.9
TCP-NNTP 6 0.0 1 44 0.0 0.0 15.3
TCP-Frag 2 0.0 1 20 0.0 0.0 15.7
TCP-other 36728 0.0 85 84 1.0 4.4 6.8
UDP-DNS 708 0.0 1 67 0.0 0.7 15.4
UDP-NTP 44960 0.0 1 75 0.0 0.0 15.5
UDP-TFTP 5 0.0 1 28 0.0 0.0 15.6
UDP-Frag 1 0.0 1 20 0.0 0.0 15.7
UDP-other 45541 0.0 6 446 0.0 0.7 15.4
ICMP 27856 0.0 2 56 0.0 11.3 15.5
IGMP 18 0.0 2 20 0.0 0.7 15.4
IPINIP 17 0.0 2 20 0.0 1.1 15.4
IPv6INIP 18 0.0 2 20 0.0 1.7 15.5
GRE 20 0.0 1 20 0.0 0.2 15.4
IP-other 4653 0.0 1 20 0.0 0.5 15.5
Total: 164070 0.0 26 100 1.4 3.4 13.4

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/0 192.168.208.63 Null 192.168.131.10 A2 0000 0000 8
Gi0/0 192.168.208.63 Null 192.168.131.10 E8 0000 0000 5
Gi0/0 192.168.208.63 Gi0/0 10.82.209.27 06 0016 0EAD 29
Gi0/0 192.168.208.63 Gi0/0 10.82.209.27 06 0016 0EAC 99
Gi0/0 192.168.208.63 Null 192.168.131.10 4D 0000 0000 8
Gi0/0 192.168.208.63 Null 192.168.131.10 51 0000 0000 6
Gi0/0 192.168.208.63 Null 192.168.131.10 59 0000 0000 7
Gi0/0 192.168.208.63 Null 192.168.131.10 65 0000 0000 6

See the SrcP and DstP field, they are port numbers but in HEX form. You would have to convert them to numbers.

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)