RE: NBAR

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Tue Feb 26 2008 - 14:16:22 ARST

• Next message: abdul muhammed: "need help on Dynamips on windows xp"
• Previous message: A.gs: "Re: "ip multicast boundary" v "ip igmp access-group""
• Maybe in reply to: Rik Guyler: "NBAR"
• Next in thread: Rik Guyler: "RE: NBAR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Nbar is a poor substitute for real good devices like packeteer and bluecoat
proxy.

Nbar will detect the obvious things an can block them (gnutella, bear share,
morpheus, kazaa, edonkey etc).

Most users nowadays though are smart enough to download programs that use
tcp 80 for file sharing, etc. or just go to youtube/facebook.

I haven't had some time to try the latest mpf filters in the asa, but other
than the Instant messenger filters, nothing so far looks that promising.

Here is a real sh ip nbar protocol-discovery

From a live router at a client site right now...

As you can see its detecting fasttrack, bittorrent, edonkey and others. So
its obviously able to recognize and detect some basic file sharing P2p
apps...

SRrouter#sh ip nbar protocol-discovery int f0/0

 FastEthernet0/0
                            Input Output
                            ----- ------
   Protocol Packet Count Packet Count
                            Byte Count Byte Count
                            30sec Bit Rate (bps) 30sec Bit Rate (bps)
                            30sec Max Bit Rate (bps) 30sec Max Bit Rate
(bps)
   ------------------------ ------------------------
------------------------
   ftp 23355352 10244065
                            14161581292 1205691124
                            0 0
                            16886000 585000
   netbios 409458540 505148940
                            48569461812 478814532535
                            135000 1359000
                            1366000 12600000
   http 65119549 56399622
                            22139281720 63477008815
                            23000 136000
                            10398000 945000
   smtp 7644343 8091576
                            5394775554 2888383117
                            0 0
                            1517000 777000
   h323 995898 924739
                            588102019 615130918
                            0 0
                            1387000 749000
   tsrvrdp 26349301 17997409
                            5727943240 1378155745
                            5000 2000
                            1320000 719000
   gnutella 14443247 10265507
                            14400366909 4181962675
                            0 15000
                            1348000 458000
   skinny 346703 173793
                            127191851 70396011
                            0 0
                            991000 742000
   secure-http 21943241 20155211
                            4681916013 9496238851
                            9000 1000
                            960000 741000
   pop3 180882 229431
                            22341825 126467337
                            0 0
                            570000 722000
   nutellaudp 3332776 2845122
                            1831437279 217027572
                            0 0
                            815000 268000
   rtp 1150580 1203771
                            310974614 1326492967
                            0 0
                            231000 802000
   novadigm 387893 218619
                            213317089 116877218
                            0 0
                            324000 690000
   pptp 99920 30127
                            47082277 30688423
                            0 0
                            433000 573000
   nfs 101829 50509
                            90246095 33102067
                            0 0
                            438000 513000
   mgcp 210683 105913
                            110163332 83810979
                            0 0
                            331000 588000
   notes 68236 33995
                            32425427 35201121
                            0 0
                            454000 359000
   netshow 87316 76064
                            34186209 62262956
                            0 0
                            513000 241000
   msnmessenger 307557 225245
                            63599676 61364497
                            0 0
                            122000 589000
   fasttrack 91728 51227
                            49635500 50854658
                            0 0
                            83000 533000
   edonkey 1162870 240950
                            508758540 14159006
                            0 0
                            567000 23000
   socks 87804 40865
                            32490054 24443258
                            0 0
                            80000 463000
   sqlserver 1839080 2341859
                            158292984 232534620
                            0 0
                            183000 322000
   rtsp 79153 53596
                            10256756 68207016
                            0 0
                            20000 443000
   sqlnet 65074 28020
                            30158192 20963473
                            0 0
                            54000 325000
   rtcp 20684 51209
                            2684508 13776242
                            0 0
                            14000 265000
   ldap 194699092 209600175
                            106836308294 48885130573
                            100000 44000
                            174000 83000
   printer 571 560
                            34266 802630
                            0 0
                            8000 167000
   exchange 663063 767842
                            311073646 133922293
                            0 0
                            56000 100000
   vdolive 41110 13386
                            50601006 986168
                            0 0
                            90000 3000
   dns 2426291 1178180
                            192480030 158160902
                            1000 1000
                            46000 45000
   kerberos 508295 506775
                            657065906 696357765
                            0 0
                            26000 29000
   xwindows 2152 838
                            402144 111336
                            0 0
                            43000 5000
   bitttorrent 406 749
                            26340 833329
                            0 0
                            1000 41000
   icmp 608591 642688
                            73946719 48299756
                            0 0
                            16000 4000
   aim 2122 1326
                            311552 312027
                            0 0
                            1000 10000
   winmx 232896 28916
                            15106868 12210093
                            0 0
                            6000 3000
   sip 106 104
                            14686 44854
                            0 0
                            3000 5000
   gre 0 17558
                            0 25036360
                            0 0
                            0 6000
   yahoomessenger 76640 52880
                            7829428 5004672
                            0 0
                            2000 4000
   dhcp 68268 0
                            22705618 0
                            0 0
                            5000 0
   snmp 394149 42733
                            47458028 5393608
                            0 0
                            2000 2000
   cuseeme 435 385
                            72512 147865
                            0 0
                            1000 3000
   pcanywhere 104 98
                            11266 18304
                            0 0
                            0 3000
   rsvp 289 19
                            352297 2635
                            0 0
                            1000 0
   citrix 242 18
                            184053 2236
                            0 0
                            1000 0
   telnet 72 73
                            6178 5285
                            0 0
                            1000 0
   eigrp 0 1514928
                            0 112104672
                            0 0
                            0 0
   ntp 3662 2964
                            359670 296852
                            0 0
                            0 0
   l2tp 143 6
                            181500 724
                            0 0
                            0 0
   streamwork 128 8
                            161749 1067
                            0 0
                            0 0
   ssh 217 230
                            13020 15880
                            0 0
                            0 0
   imap 22 9
                            1776 606
                            0 0
                            0 0
   secure-pop3 15 20
                            910 1120
                            0 0
                            0 0
   nntp 3 3
                            408 1353

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Rik
Guyler
Sent: Tuesday, February 26, 2008 11:07 AM
To: 'Cisco certification'
Subject: NBAR

Does anybody have any real-world experience with NBAR detecting peer-to-peer
traffic? I'm considering using this in place of something like a Packeteer
box but don't know how the two would compare for this. The only real feel I
have for NBAR is from a lab environment.
 
Thanks,
 
Rik

• Next message: abdul muhammed: "need help on Dynamips on windows xp"
• Previous message: A.gs: "Re: "ip multicast boundary" v "ip igmp access-group""
• Maybe in reply to: Rik Guyler: "NBAR"
• Next in thread: Rik Guyler: "RE: NBAR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:49 ARST