Top Talkers

Ever wonder who's hogging your WAN service within the LAN? You can fire up your favorite Network Analyzer or Sniffer to find that out or you can go the easiest way by using the built-in feature in Cisco IOS.

Before we dive in to that, common way to find out if the your WAN service is being greatly utilized, is by issuing the command show int s0/0 or whatever your serial interface number is. I am only going to show part of the output of the command since there's only one line that you really need. Below is the output of the command:

Serial0/0 is up, line protocol is up
Hardware is GT96K with integrated T1 CSU/DSU
Internet address is x.x.x.x/30
MTU 1500 bytes, BW 512 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 248/255

If you look at the txload the value is only 1, while the rxload it is 248. When there's no traffic passing or very minimal traffic, the value will be 1/255. Once it gets to 2xx value then that means that router is transferring lots of data and is usually hogging up your allowed bandwidth. Without QoS, you'll probably going to see lots of packets being dropped. Usually with Frame Relay, you'll start to see packets being dropped especially if your CIR (Commited Information Rate) is below your port speed (usually to save $$$). We're not going to talk about QoS and CIR for this post.

Let's get back to the topic, shall we? So how do you configure the router to take advantage of the built-in feature? Issue the commands below:

ip flow-top-talkers
top 10
sort-by bytes

So once configured, how do we use it? Well, there's only one command that you're going to use which is the show ip flow top-talkers. Below is the sample output from it:

Router#sh ip flow top-talkers

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Gi0/0.1 1.1.1.1 Null 2.2.2.2 11 E658 A99E 11M
Gi0/0.1 x.x.x.x Null x.x.x.x 11 E65A AA34 5733K
Gi0/0.1 x.x.x.x Null x.x.x.x 11 E657 7341 4062K
BV1 x.x.x.x Se0/0/0.250 x.x.x.x 06 9E98 F10C 10K
Se0/0/0.250 x.x.x.x Local x.x.x.x 06 053C 0016 3444
Se0/0/0.250 x.x.x.x BV1 x.x.x.x 06 F10C 9E98 772
Gi0/0.2 x.x.x.x Null x.x.x.x 11 008A 008A 229
Gi0/0.2 x.x.x.x Null x.x.x.x 11 008A 008A 229
BV1 x.x.x.x Null x.x.x.x 11 008A 008A 229
BV1 x.x.x.x Null x.x.x.x 11 008A 008A 229
10 of 10 top talkers shown. 16 flows processed.

Pretty neat right? This will definitely give you an idea which IP addresses are the top talkers/chatters in your network. Maybe, you may want to fire up your favorite sniffer application to see what kind of traffic it is then start reporting it to their immediate supervisor, especially if it is a non-work related traffic! =)

I hope you learn something from this post. Have a nice day!

Written By: Andr01d
"I know nothing except the fact of my ignorance" - Socrates