[nsp] NBAR question

Scott Morris swm at emanon.com
Mon Mar 3 07:37:50 EST 2003 

It could be as simple as parts of protocols that aren't caught by the
signature.  Such as passive FTP or something utilizing a high port.
*shrug*

If you really want to be sure of things, plug a sniffer into your line
and take a look at it "manually"!

Scott


-----Original Message-----
From: Cisco Geek Rotation [mailto:cisco at peakpeak.com] 
Sent: Sunday, March 02, 2003 9:27 PM
To: swm at emanon.com; cisco-nsp at puck.nether.net
Subject: RE: [nsp] NBAR question


At 08:35 PM 3/2/2003 -0500, Scott Morris wrote:
>Wait for more signatures to get programmed into the IOS, or by adding a

>PDLM in your config!
>
>The more signatures to compare against, the more work you want your 
>router to do!
>
>Scott


Sure, but looking at what all is in the list of protocols already when I
do 
a show ip nbar proto interface <x> that list looks pretty 
comprehensive.  What other protocols are likely to be happening that are

missing from that list?

Chris


>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net 
>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Cisco Geek 
>Rotation
>Sent: Sunday, March 02, 2003 12:22 PM
>To: cisco-nsp at puck.nether.net
>Subject: [nsp] NBAR question
>
>
>I've been putting ip nbar protocol-discovery on egress interfaces as a 
>way of seeing what kinds of traffic are traversing the WAN links.
>
>What I've noticed even on very late revisions of IOS (a month old) is 
>that the "unknown" category always seems to have more traffic than 
>anything else
>(853Kbps here which oeverwhelms the traffic of anything else).  It's as
>though NBAR can't classify a lot of the traffic.  Any ideas how to get
>NBAR
>to more carefully detail what the traffic is?
>
>#show ip nbar proto int fastether4/0/0
>
>   FastEthernet4/0/0
>                              Input                    Output
>     Protocol                 Packet Count             Packet Count
>                              Byte Count               Byte Count
>                              30 second bit rate (bps) 30 second bit 
>rate
>(bps)
>     ------------------------ ------------------------
>------------------------
>     fasttrack                458                      1200
>                              27480                    1582200
>                              3000                     123000
>     http                     1218                     2617
>                              543204                   546493
>                              50000                    33000
>     gnutella                 386                      1120
>                              135542                   349589
>                              13000                    33000
>     icmp                     51                       62
>                              9026                     6752
>                              2000                     1000
>     smtp                     26                       69
>                              6167                     7032
>                              3000                     0
>
>
><snip>
>
>     unknown                  2052                     11682
>                              758973                   7760912
>                              88000                    853000
>     Total                    4529                     17380
>                              1546650                  10359269
>                              165000                   1045000
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list