« Cisco Tips and Tricks paper | Main | Cisco Tips and Tricks Presentation »
May 16, 2006
Walking in the World of NBAR
Not many people know this, but if your Cisco router is running a recent (within the last 3 years or so) IOS version, it comes with a built-in, application-layer packet sniffing application called Network Based Application Recognition (NBAR). This utility was originally designed for the world of Quality of Service (QoS), but is now used for many different capabilities. Try this:
On your router, access the interface connected to the Internet and type the command ip nbar protocol-discovery. That will enable your packet-sniffing application. Now, exit back out to privileged mode and type the command show ip nbar protocol-discovery stats bit-rate top-n 10. You'll be presented with an output that looks like this:
Yup - it even recognizes common peer-to-peer applications (kazaa, bittorent, napster, and so on...). This thing rocks, and it gives you a fly-by pulse of your current network traffic. What's more? It's free. What's better? It takes about the same amount of processor utilization as a standard access-list. Some days I wonder, "Why would you buy anything else but Cisco?" *grin*
PS - it may be good for you to make an alias of the show ip nbar command above. I talk about this in one of the early posts here: Three handy alias commands.
PPS - there are many other options for the show ip nbar command. Just use the context sensitive help to see what else you can discover.
Posted by JC at May 16, 2006 7:47 AM
Trackback Pings
TrackBack URL for this entry:
http://www.cioara.org/cgi-bin/mt-tb.cgi/68
Comments
Also, we can use ip nbar port-map command to to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.
Usage as per cisco:-
ip nbar port-map protocol-name [tcp | udp] port-number
Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535
-Sikandar Singh
http://ciscotips.wordpress.com
Posted by: Sikandar at May 16, 2006 7:17 PM
Oh yeah - this rocks. You can have NBAR recognize and report your own custom applications. Can't get much better than that!!! Thanks Sikandar.
Posted by: Jeremy at May 17, 2006 8:28 AM
What does it mean when I get this message when issuing ip nbar protocol-discovery for my interface?
CEF or distributed CEF switching is required for NBAR 'protocol discovery' command
?
Posted by: vo243 at July 20, 2006 4:35 PM
It means you have to turn on CEF first - go to global configuration mode and do the following:
Router(config)#ip cef
That's it!
Posted by: Jeremy at July 21, 2006 9:00 PM
Thanks Jeremy, unfortunately this crashed my router. :-)
Probably should do this on inside ethernet interfaces?
Posted by: vo243 at July 24, 2006 2:19 PM
Lan(config)#ip cef
Lan(config)#interface fastEthernet 0/1
Lan(config-if)#ip nbar protocol-discovery
Lan(config-if)#exit
Lan(config)#exit
Lan#
Lan#sh ip nbar protocol-discovery st
Lan#sh ip nbar protocol-discovery int fastEthernet 0/0
Question is - > Why I don't see a output of aobve command?
Please my Cisco IOS Ver
Lan#sh ver
Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.3(8)T11, RELEAS
E SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 10-Aug-05 21:28 by dchih
ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)
Lan uptime is 25 weeks, 1 day, 14 hours, 47 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-ipbase-mz.123-8.T11.bin"
Cisco 2811 (revision 53.51) with 253952K/8192K bytes of memory.
Processor board ID FTX0938A38R
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Posted by: Vasanth at August 31, 2006 12:20 PM
Is it necessary to enable NBAR protocol discovery on the interface for policy-maps that use NBAR for protocol selection? (i.e. class-map match-all rpc_dcom \ match protocol netbios)
Posted by: Ketchapay at September 6, 2006 3:40 AM
You can also access all the stats available in NBAR PD with the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB.
You can extend this to use MRTG, which consists of a Perl script that uses SNMP to read
the traffic counters of your routers. The program logs the traffic data and creates
beautiful graphs representing the traffic on the monitored network connection. These
graphs are embedded into webpages which can be viewed from browsers.
You can see examples of NBAR with MRTG here:
http://vermeer.org/display_doc.php?doc_id=6
http://redes.dcsc.utfsm.cl/mrtg/border-gw-nbar/
http://daffy.memphis.edu/MRTG/nbar-internet/nbar-internet-telnet-45.html
Posted by: Richard Wellum at September 26, 2006 1:13 PM
Excellent article. I first saw this in one of your Voice videos. Is there any way to identify what IP address the traffic originates from?
Posted by: Brian from Texas at March 19, 2008 11:27 PM
Hi,
For recognizing (NBAR) traffic about 80 Mbps volume on two interfaces, my ip nbar protocol-discovery has been generating up to 60% of CPU on 7200 series.
And I suggest not to apply this command should you using Cisco 7200 NPE G1, Memory 1 G.
a. rahman isnaini r.sutan
2404:170:253::10
Research & Development
Posted by: a. rahman isnaini r.sutan at April 15, 2008 3:22 AM
Is there NBAR available on ASA? Could it be in development phase...... ?
Posted by: Jason Marx at August 29, 2008 9:34 AM