Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
715
Views
3
Helpful
5
Replies

nbar traffic

Go to solution
suthomas1
Level 6
Level 6

‎04-14-2009 02:03 AM - edited ‎03-06-2019 05:09 AM

Hi,

We ran nbar last time to check out flows in our network.There were some unknown protocols registered,any idea what are they composed of?there are counts for edonkey & kerberos as well, are they harmful & how to tackle them?

The output gives the 5 min bit rate alongwith byte count, which means the count would vary as time passes off,so end of the day wouldnt these be basically average readings & what does Max bit rate & 5min bit rate differ on?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to suthomas1

‎04-14-2009 06:12 AM

Please refer to the documentation on how to read the show ip cache verbose flow output

http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_02.html#wp1013892

The port information is there :)

__

Edison.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎04-14-2009 04:36 AM

"There were some unknown protocols registered,any idea what are they composed of?"

There's a debug NBAR option that can futher "break out" the unknowns (stats by port numbers). (NB: don't recall the actual command.)

"there are counts for edonkey & kerberos as well, are they harmful & how to tackle them?"

Whether they're harmful and what to do about them is up to you. One common concern is their usage of bandwidth. If this is problem for you, you can block them, rate limit them, deprioritze them, etc. (BTW, I found some NBAR matching not always accurate. You need to know the actual criteria being used by NBAR for specific "protocols". Sometimes it's just port matching, and it could be other traffic.)

Go to solution
suthomas1
Level 6
Level 6
In response to Joseph W. Doherty

‎04-14-2009 05:34 AM

To further identify the hosts using some of the protocols, would it be fine by creating an acl (deny or permit)& enabling log-input option.

How do we actually interpret the packet count that are given..like can we get the size of the protocol in MBytes & how is the bit rate summed up.

Thanks.

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to suthomas1

‎04-14-2009 06:01 AM

Sunny,

I recommend configuring NetFlow instead.

NetFlow will display the port being used by the src/dst.

__

Edison.

0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to Edison Ortiz

‎04-14-2009 06:05 AM

Thanks,I also viewed sh ip cache flow which shows me src/des alongwith protocols like tcp/udp but not particular ports.

Is that the same thing.

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to suthomas1

‎04-14-2009 06:12 AM

Please refer to the documentation on how to read the show ip cache verbose flow output

http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_02.html#wp1013892

The port information is there :)

__

Edison.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card