[c-nsp] Netflow output in hex or decimal

Rodney Dunn rodunn at cisco.com
Fri Mar 25 10:48:09 EST 2005


Based on the feedback both on an off list the
direction that we are taking is this:

a) make a config command that allows the user to set
   what mode they would be in for the command: hex or decimal
b) also add an extension to the existing 'sh ip cache flow' command
   to display it in decimal
c) leave the default in hex to minimize disruption in the field

Rodney

On Fri, Mar 25, 2005 at 02:31:45PM +0200, Kim Onnel wrote:
> it is much preferable for the naked eye in decimal, its even easier
> for scripts to read them in decimal, no need for conversion, i guess
> if that will take much processing off the switch, then its better off
> on the scripts side(PCs has more CPU),
> 
> What exactly is the diff. between: sh ip cache flow and sh mls netflow ip ?
> 
> I'd like to know what are known Regex(tricks) to be used on the CLI
> for common administrative purposes(spot DoS), Spot Worms, spot VoIP ?
> 
> Netflow is great, in my opinion needs more publicity and more documents, 
> 
> One last thing came to my notice the other day, i would say that once
> netflow is well known, there will be an increasing number of interest
> from 'crackers' to get access to cisco, because it facilitates looking
> at who is doing what,
> 
> sh mls netflow ip source|dest x.x.x.x  will show me what this ip is
> doing, for example
> 
> 7600#sh mls netflow ip source x.x.x.x nowrap
> 
> Displaying Netflow entries in Supervisor Earl
> 
> DstIP           SrcIP           Prot:SrcPort:DstPort  Src i/f         
> :AdjPtr     Pkts         Bytes      Age    LastSeen   Attributes
> --------------------------------------------------------------------------------
> ----------------------------------------------------------
> x.x.x.x   x.x.x.x tcp :1443   :telnet   Gi5/1            :0x0    0    
>        0             7     14:29:31   L3 - Dynamic
> 
> 
> As you can that is alot of information, it says this user is doing
> telnet to that host, so everyone should go and on their AAA server
> limit access to this command, or maybe cisco has a new feature under
> their sleeves.
> 
> Thank your Rodney for Asking
> 
> Regards
> 
> 
> On Thu, 24 Mar 2005 10:54:06 -0500, Rodney Dunn <rodunn at cisco.com> wrote:
> > 'sh ip cache flow' shows port number information in
> > hex.
> > 
> > We'd like to change that to decimal to easier consumption.
> > 
> > The pros:
> > easier reading
> > 
> > The cons:
> > no way to use the same command and have backwards
> > compatability so people using some screen scraper
> > or scripts may have to change them
> > 
> > The other option is to add an extension to the
> > sh ip cache flow command with a decimal option but
> > then that leaves hex (which most people don't like)
> > as the default.
> > 
> > Which would you prefer?
> > 
> > Rodney
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >


More information about the cisco-nsp mailing list