« Cisco Tips and Tricks paper | Main | Cisco Tips and Tricks Presentation »
May 16, 2006
Walking in the World of NBAR
Not many people know this, but if your Cisco router is running a recent (within the last 3 years or so) IOS version, it comes with a built-in, application-layer packet sniffing application called Network Based Application Recognition (NBAR). This utility was originally designed for the world of Quality of Service (QoS), but is now used for many different capabilities. Try this:
On your router, access the interface connected to the Internet and type the command ip nbar protocol-discovery. That will enable your packet-sniffing application. Now, exit back out to privileged mode and type the command show ip nbar protocol-discovery stats bit-rate top-n 10. You'll be presented with an output that looks like this:
Yup - it even recognizes common peer-to-peer applications (kazaa, bittorent, napster, and so on...). This thing rocks, and it gives you a fly-by pulse of your current network traffic. What's more? It's free. What's better? It takes about the same amount of processor utilization as a standard access-list. Some days I wonder, "Why would you buy anything else but Cisco?" *grin*
PS - it may be good for you to make an alias of the show ip nbar command above. I talk about this in one of the early posts here: Three handy alias commands.
PPS - there are many other options for the show ip nbar command. Just use the context sensitive help to see what else you can discover.
Posted by JC at May 16, 2006 7:47 AM
Comments
Also, we can use ip nbar port-map command to to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.
Usage as per cisco:-
ip nbar port-map protocol-name [tcp | udp] port-number
Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535
-Sikandar Singh
http://ciscotips.wordpress.com
Posted by: Sikandar at May 16, 2006 7:17 PM
Oh yeah - this rocks. You can have NBAR recognize and report your own custom applications. Can't get much better than that!!! Thanks Sikandar.
Posted by: Jeremy at May 17, 2006 8:28 AM
What does it mean when I get this message when issuing ip nbar protocol-discovery for my interface?
CEF or distributed CEF switching is required for NBAR 'protocol discovery' command
?
Posted by: vo243 at July 20, 2006 4:35 PM
It means you have to turn on CEF first - go to global configuration mode and do the following:
Router(config)#ip cef
That's it!
Posted by: Jeremy at July 21, 2006 9:00 PM
Thanks Jeremy, unfortunately this crashed my router. :-)
Probably should do this on inside ethernet interfaces?
Posted by: vo243 at July 24, 2006 2:19 PM
Lan(config)#ip cef
Lan(config)#interface fastEthernet 0/1
Lan(config-if)#ip nbar protocol-discovery
Lan(config-if)#exit
Lan(config)#exit
Lan#
Lan#sh ip nbar protocol-discovery st
Lan#sh ip nbar protocol-discovery int fastEthernet 0/0
Question is - > Why I don't see a output of aobve command?
Please my Cisco IOS Ver
Lan#sh ver
Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.3(8)T11, RELEAS
E SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 10-Aug-05 21:28 by dchih
ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)
Lan uptime is 25 weeks, 1 day, 14 hours, 47 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-ipbase-mz.123-8.T11.bin"
Cisco 2811 (revision 53.51) with 253952K/8192K bytes of memory.
Processor board ID FTX0938A38R
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Posted by: Vasanth at August 31, 2006 12:20 PM
Is it necessary to enable NBAR protocol discovery on the interface for policy-maps that use NBAR for protocol selection? (i.e. class-map match-all rpc_dcom \ match protocol netbios)
Posted by: Ketchapay at September 6, 2006 3:40 AM
You can also access all the stats available in NBAR PD with the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB.
You can extend this to use MRTG, which consists of a Perl script that uses SNMP to read
the traffic counters of your routers. The program logs the traffic data and creates
beautiful graphs representing the traffic on the monitored network connection. These
graphs are embedded into webpages which can be viewed from browsers.
You can see examples of NBAR with MRTG here:
http://vermeer.org/display_doc.php?doc_id=6
http://redes.dcsc.utfsm.cl/mrtg/border-gw-nbar/
http://daffy.memphis.edu/MRTG/nbar-internet/nbar-internet-telnet-45.html
Posted by: Richard Wellum at September 26, 2006 1:13 PM
Excellent article. I first saw this in one of your Voice videos. Is there any way to identify what IP address the traffic originates from?
Posted by: Brian from Texas at March 19, 2008 11:27 PM
Hi,
For recognizing (NBAR) traffic about 80 Mbps volume on two interfaces, my ip nbar protocol-discovery has been generating up to 60% of CPU on 7200 series.
And I suggest not to apply this command should you using Cisco 7200 NPE G1, Memory 1 G.
a. rahman isnaini r.sutan
2404:170:253::10
Research & Development
Posted by: a. rahman isnaini r.sutan at April 15, 2008 3:22 AM
Is there NBAR available on ASA? Could it be in development phase...... ?
Posted by: Jason Marx at August 29, 2008 9:34 AM
Is it possible for NBAR to identify ip source and destination that is using the application?
Posted by: LouB at September 23, 2008 6:16 PM
Hi,
I need to block all internet access and permit only selected URLs on internet for my internal users.
Can I acheive this with NBAR?
NBAR is available in ASA?
Rgds
Posted by: vadivel at February 19, 2009 10:52 PM
since you're enabling nbar on the internet facing interface of your upstream router ( your FW, uses this interface IP as it's gateway out; your clients then use the FW as their gateway out, presumably) there is no way via the cisco to determine the originating IP. The originating IP will always be the FW sitting behind it.
There are different deployment scenarios that could get you the IP's, but i would imagine you'd have to to many-to-many NAT'n.
Posted by: harry at March 17, 2009 1:43 PM
Nice airtical, i would like to tell all of my friends about it. By the way, i would like to introduce everyone of you a very nice website, it offers cheap air max trainers for men and women. Such as Air max 1, air max 2, air max 90, nike air max 2009+, air max 2010 new, nike air max TN, nike air ltd trainers, air max 95. Dunk SB shoes, nike shox shoes. You can find almost all the nike series there, in huge collection and varies colorways. They have Latest style and classic style. Though their price are low, don't worry about it's quality. They are realll ones!!! I have bought from them for so many times, and very satisfied with the their goods and service. Come on, you'll love it.
Posted by: groupshoes at October 27, 2009 6:15 PM
Great posting, You make valid points in a concise and pertinent fashion, I will read more of your blogs, thank you for your time.
Posted by: Patin Soleser at December 8, 2009 4:33 PM
My friend and I were recently talking about how technology has become so integrated in our day to day lives. Reading this post makes me think back to that debate we had, and just how inseparable from electronics we have all become.
I don't mean this in a bad way, of course! Societal concerns aside... I just hope that as technology further innovates, the possibility of copying our memories onto a digital medium becomes a true reality. It's one of the things I really wish I could encounter in my lifetime.
(Posted on Nintendo DS running [url=http://www.leetboss.com/video-games/r4i-r4-sdhc-nintendo-ds]R4i SDHC[/url] DS S3)
Posted by: bandsxbands at January 31, 2010 8:47 PM