[nsp] NBAR question
Mark Persiko
mark.persiko at bvsd.k12.co.us
Mon Mar 3 09:02:33 EST 2003
Another product you can use is Packeteer PacketShaper, which
shows egress/ingress protocols and lets you set bandwidth
allocations or blocks for types of traffic. This might be
more efficient than the CPU cost of NBAR in software, depending
on the router you use.
Thanks,
Mark
- Mark C. Persiko, Network Engineer
- IT Division, Boulder Valley School District
- mark.persiko at bvsd.k12.co.us
-----Original Message-----
From: Scott Morris [mailto:swm at emanon.com]
Sent: Monday, March 03, 2003 5:38 AM
To: 'Cisco Geek Rotation'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] NBAR question
It could be as simple as parts of protocols that aren't caught by the
signature. Such as passive FTP or something utilizing a high port.
*shrug*
If you really want to be sure of things, plug a sniffer into your line
and take a look at it "manually"!
Scott
-----Original Message-----
From: Cisco Geek Rotation [mailto:cisco at peakpeak.com]
Sent: Sunday, March 02, 2003 9:27 PM
To: swm at emanon.com; cisco-nsp at puck.nether.net
Subject: RE: [nsp] NBAR question
At 08:35 PM 3/2/2003 -0500, Scott Morris wrote:
>Wait for more signatures to get programmed into the IOS, or by adding a
>PDLM in your config!
>
>The more signatures to compare against, the more work you want your
>router to do!
>
>Scott
Sure, but looking at what all is in the list of protocols already when I
do
a show ip nbar proto interface <x> that list looks pretty
comprehensive. What other protocols are likely to be happening that are
missing from that list?
Chris
>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Cisco Geek
>Rotation
>Sent: Sunday, March 02, 2003 12:22 PM
>To: cisco-nsp at puck.nether.net
>Subject: [nsp] NBAR question
>
>
>I've been putting ip nbar protocol-discovery on egress interfaces as a
>way of seeing what kinds of traffic are traversing the WAN links.
>
>What I've noticed even on very late revisions of IOS (a month old) is
>that the "unknown" category always seems to have more traffic than
>anything else
>(853Kbps here which oeverwhelms the traffic of anything else). It's as
>though NBAR can't classify a lot of the traffic. Any ideas how to get
>NBAR
>to more carefully detail what the traffic is?
>
>#show ip nbar proto int fastether4/0/0
>
> FastEthernet4/0/0
> Input Output
> Protocol Packet Count Packet Count
> Byte Count Byte Count
> 30 second bit rate (bps) 30 second bit
>rate
>(bps)
> ------------------------ ------------------------
>------------------------
> fasttrack 458 1200
> 27480 1582200
> 3000 123000
> http 1218 2617
> 543204 546493
> 50000 33000
> gnutella 386 1120
> 135542 349589
> 13000 33000
> icmp 51 62
> 9026 6752
> 2000 1000
> smtp 26 69
> 6167 7032
> 3000 0
>
>
><snip>
>
> unknown 2052 11682
> 758973 7760912
> 88000 853000
> Total 4529 17380
> 1546650 10359269
> 165000 1045000
>
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list