nbar traffic

Answered Question
Apr 14th, 2009
User Badges:

Hi,

We ran nbar last time to check out flows in our network.There were some unknown protocols registered,any idea what are they composed of?there are counts for edonkey & kerberos as well, are they harmful & how to tackle them?

The output gives the 5 min bit rate alongwith byte count, which means the count would vary as time passes off,so end of the day wouldnt these be basically average readings & what does Max bit rate & 5min bit rate differ on?

Thanks.



Correct Answer by Edison Ortiz about 7 years 11 months ago

Please refer to the documentation on how to read the show ip cache verbose flow output


http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_02.html#wp1013892


The port information is there :)


__


Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Joseph W. Doherty Tue, 04/14/2009 - 04:36
User Badges:
  • Super Bronze, 10000 points or more

"There were some unknown protocols registered,any idea what are they composed of?"


There's a debug NBAR option that can futher "break out" the unknowns (stats by port numbers). (NB: don't recall the actual command.)


"there are counts for edonkey & kerberos as well, are they harmful & how to tackle them?"


Whether they're harmful and what to do about them is up to you. One common concern is their usage of bandwidth. If this is problem for you, you can block them, rate limit them, deprioritze them, etc. (BTW, I found some NBAR matching not always accurate. You need to know the actual criteria being used by NBAR for specific "protocols". Sometimes it's just port matching, and it could be other traffic.)

suthomas1 Tue, 04/14/2009 - 05:34
User Badges:

To further identify the hosts using some of the protocols, would it be fine by creating an acl (deny or permit)& enabling log-input option.

How do we actually interpret the packet count that are given..like can we get the size of the protocol in MBytes & how is the bit rate summed up.

Thanks.

Edison Ortiz Tue, 04/14/2009 - 06:01
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Sunny,


I recommend configuring NetFlow instead.


NetFlow will display the port being used by the src/dst.


__


Edison.

suthomas1 Tue, 04/14/2009 - 06:05
User Badges:

Thanks,I also viewed sh ip cache flow which shows me src/des alongwith protocols like tcp/udp but not particular ports.

Is that the same thing.

Actions

This Discussion