Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
0
Helpful
3
Replies

NBAR HTTP classification

JACQUES DU PLESSIS
Level 1
Level 1

‎10-17-2014 07:36 AM - edited ‎03-04-2019 11:59 PM

Hi Guys,

I am trying to match traffic from pingdom.com from probing some web servers. So I have:

 Class Map match-all unwanted (id 1)
   Match protocol http c-header-field "Pingdom.com_bot_version_1.4_(http://www.pingdom.com/)\r\n"

 Class Map match-any class-default (id 0)
   Match any

  Policy Map ingress
    Class unwanted
    Class class-default

interface GigabitEthernet0/0.13102
  service-policy input ingress

 

But I am getting no matches for the traffic, even though wireshark shows traffic with the user agent field exactly listed above.

The class-default class does hits. Is there something I am missing here?

Thanks!

Jacques

 

Labels:
0 Helpful
3 Replies 3

ghostinthenet
Level 7
Level 7

‎10-17-2014 12:38 PM

You may be a bit too literal in your match statement, especially with including the carriage return and linefeed. I could be mistaken, but I don't believe this is used when doing a match against the field.

The "match protocol http c-header-field" command looks for headers that contain the argument anywhere within the field, so you can be much more generic and use something like:

match protocol http c-header-field "pingdom"

In the policy map, the "class class-default" entry is a catch-all and will match anything that isn't caught by the other classes. You don't even need to define it separately as a class map. Because it catches everything not otherwise defined, you're going to get hits on it as long as the policy is applied properly... which is a good sign.

0 Helpful

JACQUES DU PLESSIS
Level 1
Level 1
In response to ghostinthenet

‎10-19-2014 02:19 AM

Thanks Jody, yes I know the text part can be a regex, so some characters might be misinterpreted. But I have tried "pingdom" and that did not work either. So I looked at user agent field and used the exact text (including \r\n). But I will play with it again tomorrow and post an update.

 

Thanks!

Jacques

0 Helpful

JACQUES DU PLESSIS
Level 1
Level 1
In response to ghostinthenet

‎10-20-2014 05:13 AM

Just an update, seems that the software version on the router has bug CSCsy22787. I see it is fixed in an update (we have M6, bug is fixed in M7. Go figure).

Thanks

Jacques

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card