RE: NBAR http matching

From: Antonio Soares (amsoares@netcabo.pt)
Date: Thu Jul 05 2007 - 17:53:20 ART

Yes, we have matches in both directions. I made the same test a few days ago
and posted it in another discussion here at groupstudy. It's good to be sure
about this. It means we can match not only the client queries but also the
server replies.

-----Original Message-----
From: Bit Gossip [mailto:bit.gossip@chello.nl]
Sent: quinta-feira, 5 de Julho de 2007 19:14
To: WorkerBee; Antonio Soares; ccielab@groupstudy.com
Cc: Cecil Wilson; M S; malcolm.salmons@gmail.com
Subject: Re: NBAR http matching

Group,
I have done a very simple test that proves a behaviour different from what
the link below describes, at least in the case of URL match:
the very same service-policy matches client requests if it is configured in
the direction from client -> server the very same service-policy matches
server responses if it is configured in the direction from server -> client
Please comment, Bit.

SW1 (client 174.1.67.7) ---- R2 (NBAR) -----R3 (server 150.1.3.3)

~~~~~~~~~~~~~~~~~~~~~~~~~~~ SW1
Rack1SW1#copy http://150.1.3.3/index.html null:
Loading http://150.1.3.3/index.html !
2696 bytes copied in 0.210 secs (12838 bytes/sec) Rack1SW1#

~~~~~~~~~~~~~~~~~~~~~~~~~~~ R2

class-map match-all NBAR
 match protocol http host "150.1.3.3"
 match protocol http url "index.html"
!
policy-map NBAR1
 class NBAR
!
interface Multilink23
 service-policy input NBAR1
 service-policy output NBAR1

Rack1R2#show policy-map int mu23
 Multilink23

  Service-policy input: NBAR1 <<<<<<<<<< server to client

    Class-map: NBAR (match-all)
      8 packets, 3348 bytes
      5 minute offered rate 0 bps
      Match: protocol http host "150.1.3.3"
      Match: protocol http url "index.html"

  Service-policy output: NBAR1 <<<<<<<<<< client to server

    Class-map: NBAR (match-all)
      16 packets, 839 bytes
      5 minute offered rate 0 bps
      Match: protocol http host "150.1.3.3"
      Match: protocol http url "index.html"

~~~~~~~~~~~~~~~~~~~~~~~~~~~ R3

Rack1R3#show debugging
Generic IP:
  IP packet debugging is on (detailed) for access list 180

This is the capture split per direction: it is clear that the number of
packets in each direction matches with the counters of the policy-map.

CONCLUSION: the same policy-map matches the packet of a certain http session
in the direction in which it is applied

*Jul 5 19:44:01.977: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 44,
rcvd 4
*Jul 5 19:44:01.977: TCP src=11004, dst=80, seq=237677449, ack=0,
win=4128 SYN
*Jul 5 19:44:01.989: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:01.989: TCP src=11004, dst=80, seq=237677450,
ack=508281107, win=4128 ACK
*Jul 5 19:44:02.001: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 207,
rcvd 4
*Jul 5 19:44:02.001: TCP src=11004, dst=80, seq=237677450,
ack=508281107, win=4128 ACK
*Jul 5 19:44:02.057: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.057: TCP src=11004, dst=80, seq=237677617,
ack=508281363, win=3872 ACK
*Jul 5 19:44:02.073: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.073: TCP src=11004, dst=80, seq=237677617,
ack=508281407, win=3828 ACK
*Jul 5 19:44:02.141: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.141: TCP src=11004, dst=80, seq=237677617,
ack=508281663, win=3572 ACK
*Jul 5 19:44:02.149: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.149: TCP src=11004, dst=80, seq=237677617,
ack=508281663, win=4128 ACK
*Jul 5 19:44:02.149: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.149: TCP src=11004, dst=80, seq=237677617,
ack=508282199, win=3592 ACK
*Jul 5 19:44:02.153: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.153: TCP src=11004, dst=80, seq=237677617,
ack=508282199, win=4128 ACK
*Jul 5 19:44:02.157: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.157: TCP src=11004, dst=80, seq=237677617,
ack=508282735, win=3592 ACK
*Jul 5 19:44:02.157: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.157: TCP src=11004, dst=80, seq=237677617,
ack=508282735, win=4128 ACK
*Jul 5 19:44:02.161: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.161: TCP src=11004, dst=80, seq=237677617,
ack=508283271, win=3592 ACK
*Jul 5 19:44:02.169: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.169: TCP src=11004, dst=80, seq=237677617,
ack=508283271, win=4128 ACK
*Jul 5 19:44:02.169: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.169: TCP src=11004, dst=80, seq=237677617,
ack=508283807, win=3592 ACK
*Jul 5 19:44:02.173: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.173: TCP src=11004, dst=80, seq=237677617,
ack=508283807, win=4128 ACK
*Jul 5 19:44:02.173: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.173: TCP src=11004, dst=80, seq=237677617,
ack=508284104, win=4128 ACK
*Jul 5 19:44:02.173: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.173: TCP src=11004, dst=80, seq=237677617,
ack=508284104, win=3832 ACK
*Jul 5 19:44:02.177: IP: s=174.1.67.7 (Multilink23), d=150.1.3.3, len 40,
rcvd 4
*Jul 5 19:44:02.177: TCP src=11004, dst=80, seq=237677617,
ack=508284104, win=3832 ACK PSH FIN

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~

*Jul 5 19:44:01.977: IP: s=150.1.3.3 (local), d=174.1.67.7 (Multilink23),
len 44, sending
*Jul 5 19:44:01.977: TCP src=80, dst=11004, seq=508281106,
ack=237677450, win=4128 ACK SYN
*Jul 5 19:44:02.045: IP: s=150.1.3.3 (local), d=174.1.67.7 (Multilink23),
len 296, sending
*Jul 5 19:44:02.045: TCP src=80, dst=11004, seq=508281107,
ack=237677617, win=3961 ACK
*Jul 5 19:44:02.061: IP: s=150.1.3.3 (local), d=174.1.67.7 (Multilink23),
len 84, sending
*Jul 5 19:44:02.061: TCP src=80, dst=11004, seq=508281363,
ack=237677617, win=3961 ACK PSH
*Jul 5 19:44:02.137: IP: s=150.1.3.3 (local), d=174.1.67.7 (Multilink23),
len 296, sending
*Jul 5 19:44:02.137: TCP src=80, dst=11004, seq=508281407,
ack=237677617, win=3961 ACK
*Jul 5 19:44:02.137: IP: s=150.1.3.3 (local), d=174.1.67.7 (Multilink23),
len 576, sending
*Jul 5 19:44:02.137: TCP src=80, dst=11004, seq=508281663,
ack=237677617, win=3961 ACK
*Jul 5 19:44:02.141: IP: s=150.1.3.3 (local), d=174.1.67.7 (Multilink23),
len 576, sending
*Jul 5 19:44:02.141: TCP src=80, dst=11004, seq=508282199,
ack=237677617, win=3961 ACK
*Jul 5 19:44:02.153: IP: s=150.1.3.3 (local), d=174.1.67.7 (Multilink23),
len 576, sending
*Jul 5 19:44:02.153: TCP src=80, dst=11004, seq=508282735,
ack=237677617, win=3961 ACK
*Jul 5 19:44:02.153: IP: s=150.1.3.3 (local), d=174.1.67.7 (Multilink23),
len 576, sending
*Jul 5 19:44:02.153: TCP src=80, dst=11004, seq=508283271,
ack=237677617, win=3961 ACK
*Jul 5 19:44:02.161: IP: s=150.1.3.3 (local), d=174.1.67.7 (Multilink23),
len 336, sending
*Jul 5 19:44:02.161: TCP src=80, dst=11004, seq=508283807,
ack=237677617, win=3961 ACK PSH FIN
*Jul 5 19:44:02.177: IP: s=150.1.3.3 (local), d=174.1.67.7 (Multilink23),
len 40, sending
*Jul 5 19:44:02.177: TCP src=80, dst=11004, seq=508284104,
ack=237677618, win=3961 ACK

----- Original Message -----
From: "WorkerBee" <ciscobee@gmail.com>
To: "Antonio Soares" <amsoares@netcabo.pt>
Cc: "Cecil Wilson" <Cecil.Wilson@flextronics.com>; "M S"
<michaelgstout@hotmail.com>; <malcolm.salmons@gmail.com>;
<ccielab@groupstudy.com>
Sent: Friday, June 29, 2007 2:18 AM
Subject: Re: NBAR http matching

> Read this link, it explicitly mentioned the direction flow of the
> requestor and the position on the nbar router doing the protocol
> inspection. It is the HTTP response that is being classified.
>
> Classification of HTTP Traffic by URL, Host, or MIME
>
> http://www.cisco.com/en/US/products/ps6441/products_configuration_guid
> e_chapter09186a008064fb35.html#wp1055866

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART