nbar protocol discovery

Unanswered Question
Oct 15th, 2007

hi, I have nbar protocol discovery running with netflow, it says users are using edonkey?? But I really think it's Citrix Metaframe, how can I check what ports nbar is using and can they be edited?

This is a Cisco 877 in VPN mode. Version 12.4(15) T1 Advanced Ip services.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bvsnarayana03 Mon, 10/15/2007 - 09:31

Ports numbers for peer-to-peer applications like kazaa, edonkey etc may use any port specified by the user. so its difficult to block them. U may want to try applying an acl with default port No. to block the traffic.

edonkey - tcp 4662

kazaa - tcp 2114

or use route-map to deny traffic matched by nbar as edonkey / kazaa.

whiteford Mon, 10/15/2007 - 09:46

Thing is none of them are using it or have it installed, so I don't understand why NetFlow is reporting it?

Joseph W. Doherty Tue, 10/16/2007 - 17:32

NBAR, for some protocols, is just a pretty face on a port match. Applications can sometimes use ports normally used for other applications. So, eDonkey traffic may not be such.

See for details on NBAR matching.

Unsure about an 877, but on larger routers you can see what ports NBAR is using by "show nbar port-map". The can be reassigned by using the "ip nbar port-map".

whiteford Tue, 10/16/2007 - 23:48

Edonkey seems to be on tcp port 4662, could a user dynamically mapped to this port for use with another application?

Also how do I add another port map to nbar? I want to add citrix metaframe to port 2598.

Do Cisco brting our updated nbar ports lists?

Phillip Hichens Wed, 10/17/2007 - 00:26


You can make sure that NBAR isn't classifying the traffic by using the following command:

* show ip nbar unclassified-port-stats

Once verified you can manually add a custom port map with the following command:

* ip nbar port-map citrix tcp 2598

If you have CCO you can download the latest Custom Packet Description Language Module (PDLM) from Cisco software downloads to allow new protocol support for NBAR without the requirement of an IOS release upgrade and router reload.



guruprasadr Wed, 10/17/2007 - 01:04


Most companies now use NBAR - Network-Based Application Recognition.

Download the PDLM from Cisco to your flash then configure.

ip nbar pdlm flash:bittorrent.pdlm

ip nbar pdlm flash:eDonkey.pdlm

ip nbar pdlm flash:gnutella.pdlm

ip nbar pdlm flash:kazaa2.pdlm

ip nbar pdlm flash:WinMX.pdlm

ip nbar pdlm flashrinter.pdlm


class-map match-any nbar-discovery

match protocol gnutella

match protocol kazaa2

match protocol napster

match protocol printer

match protocol http url "*cmd.exe*"

match protocol fasttrack

match protocol novadigm

match protocol edonkey

match protocol bittorrent



policy-map ip-prec-marked

class nbar-discovery



Interface Serial0/1

ip nbar protocol-discovery

service-policy input ip-prec-marked



Best Regards,

Guru Prasad R

whiteford Wed, 10/17/2007 - 01:55

When I do a show flash, the PDLM is not in there does this mean I don't have the lastest and just the one in the IOS?

My interface is VLAN 1 I take it I'll use this instead of serial 0/1?

What does your config do?

whiteford Wed, 10/17/2007 - 01:53

You can make sure that NBAR isn't classifying the traffic by using the following command:

* show ip nbar unclassified-port-stats

This is off

I've added ip nbar port-map citrix tcp 2598

I am using the latest IOS for that router do I still need to download the PDLM? My version is 12.4(15)T1?

guruprasadr Wed, 10/17/2007 - 02:04


CISCO has released several PDLM for P2P Applications.

You will need to download the PDLM that match your IOS Version and add the same to your FLASH of Router.

Later with the Configuration posted you should be able to BLOCK as per requirement.


Best Regards,

Guru Prasad R

whiteford Wed, 10/17/2007 - 02:15

I don't want to block just monitor.

For the PDLM, there are loads of individual files like edonkey.pdlm, citrix.pdlm, do all these individual files need to be downloaded to the flash and does the router need to be rebooted after?

I'm not sure of the process.

guruprasadr Wed, 10/17/2007 - 02:19


Yes for each application CISCO has PDLM availaible and you need to download to the flash to have them block.

I don't know whether it requires reboot / not.

For NBAR services the using of PDLM is the best way to Block.

You can check some cisco documents whether it requires reboot / not.


Best Regards,

Guru Prasad R

whiteford Wed, 10/17/2007 - 02:26

I can't find the PDLM for my Cisco 877 aren't the PDLM's for all routers the same??

I don't want to block these apps, just monitor via Netflow.

guruprasadr Wed, 10/17/2007 - 04:55


I know PDLM is based on IOS Versions but i don't know whether this is router based.


Best Regards,

Guru Prasad R

Edison Ortiz Wed, 10/17/2007 - 05:05


Please post the output from executing sh ip nbar protocol-discovery on the router's CLI.

Edison Ortiz Wed, 10/17/2007 - 05:29

How many PCs you have in the location ?

If you can get to every single workstation, run netstat -a on the command line at those devices.

eDonkey protocol can run as a trojan and may not be visible as an application.

whiteford Wed, 10/17/2007 - 05:33

Only one PC today. His pc was connected to Citrix on port 1214 (kazza)?

Do I need to update the PDLM? I need to monitor citrix metaframe on port 2598

whiteford Wed, 10/17/2007 - 05:53

Do you think I need to I'm on IOS 12.4.(15)T1 18 July.

Will the PDLM be much more up to date, I can't seem to find it to download...

I am having the same problem, same IOS version, although I have the problem at other sites using differing IOS.

12.4(15)T1 comes with citrix.pdlm version 10 as part of the IOS, the only one available for download is version 8, and it refuses to downgrade (Version 8<10 error)

It classifies Citrix Metframe XP traffic no problem, but connecting to a Citrix PS 4.0 no traffic is detected using NBAR, in fact even access-lists are ignored - it would seem in my case to be classifying the Citrix Traffic as SKYPE, which is being matched 1st by my modular QoS.

Citrix now uses this port

Does anyone know how to resolve this? Can I stop Skype matching only?


netstat -a shows PC connecting to server on port 2598, wi=hich is due to session reliability.

TCP abz-peter-home:1156 ESTABLISHED

I have added the port to NBAR

#sh ip nbar port-map

port-map citrix udp 1604

port-map citrix tcp 1494 2598

but still no match!!

Any ideas? Why doesn't NBAR take the port-map?


whiteford Wed, 10/24/2007 - 00:42

Now 2 of us are having the issue I wonder if anyone else is, I use Citrix PS 4.0, and also see Skype traffic, no one is using Skype!

I have a workaround, although it's not ideal. I just changed my Modular Qos *not* to match on protocol, but rather on access list.


no ip access-list extended citrix_traffic


ip access-list extended citrix_traffic

permit tcp any eq 1494 any

permit tcp any any eq 1494

permit tcp any eq 2598 any

permit tcp any any eq 2598



class-map match-any citrix

no match protocol citrix

match access-group name citrix_traffic


This is now marking citrix traffic as it should do, but it's extremely worrying that NBAR is not doing explicitly what it is told.

There are no port-maps for Skype listed & there seems no way to disable it... thing is I also *want* to be able to classify skype traffic, Cisco really need to pull their finger out here.


whiteford Wed, 10/24/2007 - 01:31

I'm also getting a lot of "unknown" traffic, shame it can't show the ports.

whiteford Wed, 10/24/2007 - 03:36

How do I do that, so I will be able to see the unknown traffic?


This Discussion