From: Rik Guyler (rik@guyler.net)
Date: Tue Feb 26 2008 - 14:38:06 ARST
Thanks Joe. I thought this was likely the case. In my case it may come
down to a financial decision but at least now I know it works reasonably
well.
Rik
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joseph Brunner
Sent: Tuesday, February 26, 2008 11:16 AM
To: 'Rik Guyler'; 'Cisco certification'
Subject: RE: NBAR
Nbar is a poor substitute for real good devices like packeteer and bluecoat
proxy.
Nbar will detect the obvious things an can block them (gnutella, bear share,
morpheus, kazaa, edonkey etc).
Most users nowadays though are smart enough to download programs that use
tcp 80 for file sharing, etc. or just go to youtube/facebook.
I haven't had some time to try the latest mpf filters in the asa, but other
than the Instant messenger filters, nothing so far looks that promising.
Here is a real sh ip nbar protocol-discovery
From a live router at a client site right now...
As you can see its detecting fasttrack, bittorrent, edonkey and others. So
its obviously able to recognize and detect some basic file sharing P2p
apps...
SRrouter#sh ip nbar protocol-discovery int f0/0
FastEthernet0/0
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
30sec Bit Rate (bps) 30sec Bit Rate (bps)
30sec Max Bit Rate (bps) 30sec Max Bit Rate
(bps)
------------------------ ------------------------
------------------------
ftp 23355352 10244065
14161581292 1205691124
0 0
16886000 585000
netbios 409458540 505148940
48569461812 478814532535
135000 1359000
1366000 12600000
http 65119549 56399622
22139281720 63477008815
23000 136000
10398000 945000
smtp 7644343 8091576
5394775554 2888383117
0 0
1517000 777000
h323 995898 924739
588102019 615130918
0 0
1387000 749000
tsrvrdp 26349301 17997409
5727943240 1378155745
5000 2000
1320000 719000
gnutella 14443247 10265507
14400366909 4181962675
0 15000
1348000 458000
skinny 346703 173793
127191851 70396011
0 0
991000 742000
secure-http 21943241 20155211
4681916013 9496238851
9000 1000
960000 741000
pop3 180882 229431
22341825 126467337
0 0
570000 722000
nutellaudp 3332776 2845122
1831437279 217027572
0 0
815000 268000
rtp 1150580 1203771
310974614 1326492967
0 0
231000 802000
novadigm 387893 218619
213317089 116877218
0 0
324000 690000
pptp 99920 30127
47082277 30688423
0 0
433000 573000
nfs 101829 50509
90246095 33102067
0 0
438000 513000
mgcp 210683 105913
110163332 83810979
0 0
331000 588000
notes 68236 33995
32425427 35201121
0 0
454000 359000
netshow 87316 76064
34186209 62262956
0 0
513000 241000
msnmessenger 307557 225245
63599676 61364497
0 0
122000 589000
fasttrack 91728 51227
49635500 50854658
0 0
83000 533000
edonkey 1162870 240950
508758540 14159006
0 0
567000 23000
socks 87804 40865
32490054 24443258
0 0
80000 463000
sqlserver 1839080 2341859
158292984 232534620
0 0
183000 322000
rtsp 79153 53596
10256756 68207016
0 0
20000 443000
sqlnet 65074 28020
30158192 20963473
0 0
54000 325000
rtcp 20684 51209
2684508 13776242
0 0
14000 265000
ldap 194699092 209600175
106836308294 48885130573
100000 44000
174000 83000
printer 571 560
34266 802630
0 0
8000 167000
exchange 663063 767842
311073646 133922293
0 0
56000 100000
vdolive 41110 13386
50601006 986168
0 0
90000 3000
dns 2426291 1178180
192480030 158160902
1000 1000
46000 45000
kerberos 508295 506775
657065906 696357765
0 0
26000 29000
xwindows 2152 838
402144 111336
0 0
43000 5000
bitttorrent 406 749
26340 833329
0 0
1000 41000
icmp 608591 642688
73946719 48299756
0 0
16000 4000
aim 2122 1326
311552 312027
0 0
1000 10000
winmx 232896 28916
15106868 12210093
0 0
6000 3000
sip 106 104
14686 44854
0 0
3000 5000
gre 0 17558
0 25036360
0 0
0 6000
yahoomessenger 76640 52880
7829428 5004672
0 0
2000 4000
dhcp 68268 0
22705618 0
0 0
5000 0
snmp 394149 42733
47458028 5393608
0 0
2000 2000
cuseeme 435 385
72512 147865
0 0
1000 3000
pcanywhere 104 98
11266 18304
0 0
0 3000
rsvp 289 19
352297 2635
0 0
1000 0
citrix 242 18
184053 2236
0 0
1000 0
telnet 72 73
6178 5285
0 0
1000 0
eigrp 0 1514928
0 112104672
0 0
0 0
ntp 3662 2964
359670 296852
0 0
0 0
l2tp 143 6
181500 724
0 0
0 0
streamwork 128 8
161749 1067
0 0
0 0
ssh 217 230
13020 15880
0 0
0 0
imap 22 9
1776 606
0 0
0 0
secure-pop3 15 20
910 1120
0 0
0 0
nntp 3 3
408 1353
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Rik
Guyler
Sent: Tuesday, February 26, 2008 11:07 AM
To: 'Cisco certification'
Subject: NBAR
Does anybody have any real-world experience with NBAR detecting peer-to-peer
traffic? I'm considering using this in place of something like a Packeteer
box but don't know how the two would compare for this. The only real feel I
have for NBAR is from a lab environment.
Thanks,
Rik
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:49 ARST