RE: NBAR and Netbios

From: Charles Church (cchurch@wamnet.com)
Date: Fri May 09 2003 - 21:24:23 GMT-3

• Next message: Charles Church: "RE: Eigrp bandwidth requirements"
• Previous message: CCIEStudy: "Re: Port security"
• Maybe in reply to: Anthony Pace: "NBAR and Netbios"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Anthony,

        I think there's a couple possible reasons. Could it be asymmetric routing,
due to HSRP or something else? Otherwise, it's probably NBAR not detecting
the Netbios in both directions because of the use of dynamic ports. NBAR
really only looks at ports, and only considers TCP 135, 137, and 139 (I
think those are the ones) as Netbios. NBAR does look at some layer 5 info
for some protocols (http, kazaa2, citrix), but not for most.

Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 585-233-2706
cchurch@wamnet.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Anthony Pace
Sent: Friday, May 09, 2003 2:21 PM
To: ccielab@groupstudy.com; nobody@groupstudy.com
Subject: NBAR and Netbios

On all the router interfaces I have enabled NBAR on, I only see NETBIOS
traffic going into the interface but no Netbios going out. I understand
that some Netbios/IP is broadcasts which will not be propogated, but alot
of should be unicasts which I would expect to see IN and OUT bytes. DOes
anyone have any insights into this?

Anthony Pace

FastEthernet2/0
                            Input Output
   Protocol Packet Count Packet Count
                            Byte Count Byte Count
                            5 minute bit rate (bps) 5 minute bit rate
                            (bps)
   ------------------------ ------------------------
   ------------------------
   snmp 62379 66897
                            5593740 5740531
                            0 0
   http 11493 7448
                            8388659 1715467
                            0 0
   netbios 67998 0
                            9930903 0
                            0 0
   dhcp 10598 0
                            3457856 0
                            0 0
   icmp 8185 5196

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
FastEthernet2/1
                            Input Output
   Protocol Packet Count Packet Count
                            Byte Count Byte Count
                            5 minute bit rate (bps) 5 minute bit rate
                            (bps)
   ------------------------ ------------------------
   ------------------------
   snmp 160660 62369
                            13413785 5592915
                            0 0
   http 9066 10071
                            1846833 8169989
                            0 0
   netbios 12137 0
                            1663597 0
                            0 0
   icmp 7755 2578
                            750789 231383
                            0 0
   secure-http 669 708
                            122257 502288
                            0 0

--
--
  Anthony Pace
  anthonypace@fastmail.fm
--
http://www.fastmail.fm - Does exactly what it says on the tin

• Next message: Charles Church: "RE: Eigrp bandwidth requirements"
• Previous message: CCIEStudy: "Re: Port security"
• Maybe in reply to: Anthony Pace: "NBAR and Netbios"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:40 GMT-3