Re: NBAR Not matching !

From: Bob Sinclair (bsin@cox.net)
Date: Sun Jun 05 2005 - 19:03:00 GMT-3

• Next message: Scott Morris: "RE: NBAR Not matching !"
• Previous message: Piotr Jelonek: "Re: Brussels 6th June"
• Maybe in reply to: CCIE: "NBAR Not matching !"
• Next in thread: gladston@br.ibm.com: "Re: Re: NBAR Not matching !"
• Maybe reply: gladston@br.ibm.com: "Re: Re: NBAR Not matching !"
• Maybe reply: gladston@br.ibm.com: "Re: Re: NBAR Not matching !"
• Maybe reply: gladston@br.ibm.com: "Re: Re: NBAR Not matching !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Piotr,

Best of luck to you in Brussels!

Regarding the telnet/HTTP issue. Here is plain text from an Ethereal capture.
The result appears to depend somewhat on the telnet client. First, using
SecureCRT I telnetted to ubiqx.org at port 80. The packet below resulted from
the following command:

GET /cifs/NetBIOS.html HTTP/1.0

Here is the packet as Ethereal saw it:

No. Time Source Destination Protocol Info
     80 9.449376 172.16.2.100 194.164.181.231 HTTP GET
/cifs/NetBIOS.html HTTP/1.0

Frame 80 (87 bytes on wire, 87 bytes captured)
Ethernet II, Src: 00:0d:56:ac:97:40, Dst: 00:10:7b:82:11:b8
Internet Protocol, Src Addr: 172.16.2.100 (172.16.2.100), Dst Addr:
194.164.181.231 (194.164.181.231)
Transmission Control Protocol, Src Port: 4032 (4032), Dst Port: http (80),
Seq: 1, Ack: 1, Len: 33
Hypertext Transfer Protocol
    GET /cifs/NetBIOS.html HTTP/1.0\r\n

Note it is a full 87 bytes, formatted as an HTTP request.

The packet above was sent using SecureCRT, and NBAR showed hits for the url.
Tried the same using just DOS command line telnet. It split the GET request
as HTTP in two successive packets, and NBAR does not appear to see it! As you
suggested in your earlier email, the router sends very small telnet packets -
one character per packet. While the HTTP server is apparently able to gather
them and decipher a request, NBAR is not.

HTH,

Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net

  ----- Original Message -----
  From: Piotr Jelonek
  To: Bob Sinclair
  Cc: Scott Morris ; 'CCIE' ; 'Group Study'
  Sent: Sunday, June 05, 2005 4:48 PM
  Subject: Re: NBAR Not matching !

  On nie, cze 05, 2005 at 04:28:57 -0400, Bob Sinclair wrote:
> I have been able to get NBAR to match against the following class-map:
>
> Class Map match-all CIF (id 3)
> Match protocol http url "*cifs*"
>
> by telnetting to ubix.org 80, followed by: GET /cifs/NetBIOS.html
HTTP/1.0
> ENTER ENTER
>
> I noticed that a "drop" for this class seems to work inbound, but not
outbound
> (for the GET). Any tips on testing NBAR HTTP matches via telnet for lab
> purposes?

  Hi All.

  Are you not loosing something there ?
  I think when you telnet to port 80 and type on your keyboard "GET ..." it
works
  totally different than if you run your browser and request some address.

  If you telnet to port 80 and type "G" "E" "T" " " .... each character
  is send in separate packet. Just like I did (look at length of each
  packet):

  ...
  *Mar 4 11:10:35.913: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1
(Loopback0), routed via RIB
  *Mar 4 11:10:35.913: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41,
rcvd 4
  *Mar 4 11:10:35.913: TCP src=11030, dst=80, seq=2273826937,
ack=135567464, win=4128 ACK PSH
  *Mar 4 11:10:36.113: IP: tableid=0, s=150.2.1.1 (local), d=128.2.0.3
(Ethernet0/0), routed via RIB
  *Mar 4 11:10:36.726: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1
(Loopback0), routed via RIB
  *Mar 4 11:10:36.726: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41,
rcvd 4
  *Mar 4 11:10:36.726: TCP src=11030, dst=80, seq=2273826938,
ack=135567464, win=4128 ACK PSH
  *Mar 4 11:10:36.927: IP: tableid=0, s=150.2.1.1 (local), d=128.2.0.3
(Ethernet0/0), routed via RIB
  *Mar 4 11:10:37.095: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1
(Loopback0), routed via RIB
  *Mar 4 11:10:37.099: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41,
rcvd 4
  *Mar 4 11:10:37.099: TCP src=11030, dst=80, seq=2273826939,
ack=135567464, win=4128 ACK PSH
  *Mar 4 11:10:37.255: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1
(Loopback0), routed via RIB
  *Mar 4 11:10:37.255: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41,
rcvd 4
  *Mar 4 11:10:37.255: TCP src=11030, dst=80, seq=2273826940,
ack=135567464, win=4128 ACK PSH
  *Mar 4 11:10:37.299: IP: tableid=0, s=150.2.1.1 (local), d=128.2.0.3
(Ethernet0/0), routed via RIB
  *Mar 4 11:10:37.440: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1
(Loopback0), routed via RIB
  *Mar 4 11:10:37.440: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41,
rcvd 4
  ..

  Do you think that NBAR will gather packets in some buffer and check each
request ?
  I don't think so.

  If you run your browser and type in some address, then hit ENTER - your
request
  is send in one packet - now NBAR has something to look in.

  Do you agree with me ?

  Regards,
  Piotr

  --
  piotr <at> jelonek <dot> info

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

• Next message: Scott Morris: "RE: NBAR Not matching !"
• Previous message: Piotr Jelonek: "Re: Brussels 6th June"
• Maybe in reply to: CCIE: "NBAR Not matching !"
• Next in thread: gladston@br.ibm.com: "Re: Re: NBAR Not matching !"
• Maybe reply: gladston@br.ibm.com: "Re: Re: NBAR Not matching !"
• Maybe reply: gladston@br.ibm.com: "Re: Re: NBAR Not matching !"
• Maybe reply: gladston@br.ibm.com: "Re: Re: NBAR Not matching !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3