It is my understanding that NBAR is able to classify certain packets based on certain descriptors in the packet. It is also my understanding that the FTP client and server negotiate different port numbers once the session is initiated. I have enable NBAR protocol discovery on all ports and Debug NBAR unclassified port stats. Once the session is initiated all FTP traffic is classified as unknown with different port numbers. I have also tried using extended access lists to match some traffic but it only sees the initial traffic.
How can I classify FTP traffic coming into my router from the internet?