RE: NBAR Not matching !

From: Scott Morris (swm@emanon.com)
Date: Sun Jun 05 2005 - 20:58:49 GMT-3

• Next message: George Cassels: "RE: tcl scripts on Doc-Cd"
• Previous message: Scott Morris: "RE: NBAR Not matching !"
• Maybe in reply to: CCIE: "NBAR Not matching !"
• Next in thread: Richard Dumoulin: "RE: NBAR Not matching !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

That's absolutely true. And that's how telnet works.

That was exactly when I went and used a "real" web browser so that it would
appear as a single HTTP packet. And it still doesn't show in the logging!
Go figure.

Scott

-----Original Message-----
From: Piotr Jelonek [mailto:piotr@jelonek.info]
Sent: Sunday, June 05, 2005 4:48 PM
To: Bob Sinclair
Cc: Scott Morris; 'CCIE'; 'Group Study'
Subject: Re: NBAR Not matching !

On nie, cze 05, 2005 at 04:28:57 -0400, Bob Sinclair wrote:
> I have been able to get NBAR to match against the following class-map:
>
> Class Map match-all CIF (id 3)
> Match protocol http url "*cifs*"
>
> by telnetting to ubix.org 80, followed by: GET /cifs/NetBIOS.html
> HTTP/1.0 ENTER ENTER
>
> I noticed that a "drop" for this class seems to work inbound, but not
> outbound (for the GET). Any tips on testing NBAR HTTP matches via
> telnet for lab purposes?

Hi All.

Are you not loosing something there ?
I think when you telnet to port 80 and type on your keyboard "GET ..." it
works totally different than if you run your browser and request some
address.

If you telnet to port 80 and type "G" "E" "T" " " .... each character is
send in separate packet. Just like I did (look at length of each
packet):

...
*Mar 4 11:10:35.913: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1
(Loopback0), routed via RIB *Mar 4 11:10:35.913: IP: s=128.2.0.3
(Ethernet0/0), d=150.2.1.1, len 41, rcvd 4
*Mar 4 11:10:35.913: TCP src=11030, dst=80, seq=2273826937,
ack=135567464, win=4128 ACK PSH
*Mar 4 11:10:36.113: IP: tableid=0, s=150.2.1.1 (local), d=128.2.0.3
(Ethernet0/0), routed via RIB *Mar 4 11:10:36.726: IP: tableid=0,
s=128.2.0.3 (Ethernet0/0), d=150.2.1.1 (Loopback0), routed via RIB *Mar 4
11:10:36.726: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41, rcvd 4
*Mar 4 11:10:36.726: TCP src=11030, dst=80, seq=2273826938,
ack=135567464, win=4128 ACK PSH
*Mar 4 11:10:36.927: IP: tableid=0, s=150.2.1.1 (local), d=128.2.0.3
(Ethernet0/0), routed via RIB *Mar 4 11:10:37.095: IP: tableid=0,
s=128.2.0.3 (Ethernet0/0), d=150.2.1.1 (Loopback0), routed via RIB *Mar 4
11:10:37.099: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41, rcvd 4
*Mar 4 11:10:37.099: TCP src=11030, dst=80, seq=2273826939,
ack=135567464, win=4128 ACK PSH
*Mar 4 11:10:37.255: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1
(Loopback0), routed via RIB *Mar 4 11:10:37.255: IP: s=128.2.0.3
(Ethernet0/0), d=150.2.1.1, len 41, rcvd 4
*Mar 4 11:10:37.255: TCP src=11030, dst=80, seq=2273826940,
ack=135567464, win=4128 ACK PSH
*Mar 4 11:10:37.299: IP: tableid=0, s=150.2.1.1 (local), d=128.2.0.3
(Ethernet0/0), routed via RIB *Mar 4 11:10:37.440: IP: tableid=0,
s=128.2.0.3 (Ethernet0/0), d=150.2.1.1 (Loopback0), routed via RIB *Mar 4
11:10:37.440: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41, rcvd 4 ..

Do you think that NBAR will gather packets in some buffer and check each
request ?
I don't think so.

If you run your browser and type in some address, then hit ENTER - your
request is send in one packet - now NBAR has something to look in.

Do you agree with me ?

        Regards,
        Piotr

--
piotr <at> jelonek <dot> info

• Next message: George Cassels: "RE: tcl scripts on Doc-Cd"
• Previous message: Scott Morris: "RE: NBAR Not matching !"
• Maybe in reply to: CCIE: "NBAR Not matching !"
• Next in thread: Richard Dumoulin: "RE: NBAR Not matching !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3