Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

NBAR HTTP classification

Hi Guys,

I am trying to match traffic from from probing some web servers. So I have:

 Class Map match-all unwanted (id 1)
   Match protocol http c-header-field "Pingdom.com_bot_version_1.4_(\r\n"

 Class Map match-any class-default (id 0)
   Match any

  Policy Map ingress
    Class unwanted
    Class class-default

interface GigabitEthernet0/0.13102
  service-policy input ingress


But I am getting no matches for the traffic, even though wireshark shows traffic with the user agent field exactly listed above.

The class-default class does hits. Is there something I am missing here?





You may be a bit too literal

You may be a bit too literal in your match statement, especially with including the carriage return and linefeed. I could be mistaken, but I don't believe this is used when doing a match against the field.

The "match protocol http c-header-field" command looks for headers that contain the argument anywhere within the field, so you can be much more generic and use something like:

match protocol http c-header-field "pingdom"

In the policy map, the "class class-default" entry is a catch-all and will match anything that isn't caught by the other classes. You don't even need to define it separately as a class map. Because it catches everything not otherwise defined, you're going to get hits on it as long as the policy is applied properly... which is a good sign.

Thanks Jody, yes I know the

Thanks Jody, yes I know the text part can be a regex, so some characters might be misinterpreted. But I have tried "pingdom" and that did not work either. So I looked at user agent field and used the exact text (including \r\n). But I will play with it again tomorrow and post an update.




Just an update, seems that

Just an update, seems that the software version on the router has bug CSCsy22787. I see it is fixed in an update (we have M6, bug is fixed in M7. Go figure).




CreatePlease login to create content