I have a properly applied egress class map to prevent all peer-to-peer traffic. For a sanity check I applied NBAR protocol discovery onto the inside interface. What I am seeing is that nbar protocol-discovery is seeing waaaay more traffic than the egress P2P filter. Should they not be equal?
The nbar protocol-discovery shows 13MB of edonkey egressed (inbound on the inside interface) while the egress filter sees not a single bit of it.