Answered Question
Apr 8th, 2009


I'm planning nbar to get feel of applications that are traversing my router.

i hope this is the simplest n best until there is anything else we can do excluding netflow et al.

I intend to get an idea of what applications are flowing across the link.

1)Would it be best to have it on wan facing interface or lan facing interface?

2)Its read that this also causes rise in cpu and may cause the device to go that the case & if so, whats the max threshold it uses.

My current router is having a cpu usage of around 11%.

3) Any other specific things which need to included with nbar to enhance the output i get to be more useful.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
lamav Wed, 04/08/2009 - 04:18

Thats interesting.

I never thought of using NBAR as a diagnostic tool.

I wouldnt.

I would use a sniffer and examine the traffic that way.

Keep an eye on the biggest talkers and monitor them as they cycle for a few days of normal business. You will be able to see the source and destination hosts, the ports they communicate on, the volume of their bi-directional traffic, etc.



suthomas1 Wed, 04/08/2009 - 05:54

Actually, my intention is to see what all classes of traffic flows through http,ftp etc & the rate of flow alongwith their usage.

I am planning to put sniffer as well you suggested.But to start with i want to what nbar returns.

Any suggestions would he helpful.


John Blakley Wed, 04/08/2009 - 06:05

Well, you can't control nbar's cpu utilization or thresholds. You can either enable or disable it. If you have a ton of different traffic going through your router, then I could see it being a major impact on it, but if there's not too many different classes, you should be okay. I would keep a close eye on the router though.



suthomas1 Wed, 04/08/2009 - 06:56


I'm having a 2821 with average link usage being around 50%.Any idea if this coupled with nbar would get the router down.

& any specific reason why nbar causes this major it because it has to parse through headers to make out the information.

Joseph W. Doherty Wed, 04/08/2009 - 07:24

#1 If both interfaces deal with the same traffic, shouldn't really matter.

#2 It does, and John's reference documents additional load. However, if your CPU is only around 11%, you likely have enough spare capacity.

#3 Yes, by default, NBAR discovery will count the protocols it knows of. Often much traffic will be counted as unknown. If NBAR discovery shows this, you can activate a debug option that NBAR will break unknown traffic down by some major IP protocols (e.g. TCP/UDP) and port numbers.


This Discussion