How many PCs you have in the location ?

If you can get to every single workstation, run netstat -a on the command line at those devices.

eDonkey protocol can run as a trojan and may not be visible as an application.

Only one PC today. His pc was connected to Citrix on port 1214 (kazza)?

Do I need to update the PDLM? I need to monitor citrix metaframe on port 2598

I see. You can update the PDLM or just change the port-map manually.

Do you think I need to I'm on IOS 12.4.(15)T1 18 July.

Will the PDLM be much more up to date, I can't seem to find it to download...

Thought I'd have a look at the PDLM's but the link fails, http://download-sj.cisco.com/swc/esd/02/268437924/contract/citrix.zip

Not sure if I need them though.

I am having the same problem, same IOS version, although I have the problem at other sites using differing IOS.

12.4(15)T1 comes with citrix.pdlm version 10 as part of the IOS, the only one available for download is version 8, and it refuses to downgrade (Version 8<10 error)

It classifies Citrix Metframe XP traffic no problem, but connecting to a Citrix PS 4.0 no traffic is detected using NBAR, in fact even access-lists are ignored - it would seem in my case to be classifying the Citrix Traffic as SKYPE, which is being matched 1st by my modular QoS.

Citrix now uses this port

Does anyone know how to resolve this? Can I stop Skype matching only?

Thanks

netstat -a shows PC connecting to server on port 2598, wi=hich is due to session reliability.

http://support.citrix.com/article/CTX109913&searchID=-1

TCP abz-peter-home:1156 192.168.0.17:2598 ESTABLISHED

I have added the port to NBAR

#sh ip nbar port-map

port-map citrix udp 1604

port-map citrix tcp 1494 2598

but still no match!!

Any ideas? Why doesn't NBAR take the port-map?

Thanks

Now 2 of us are having the issue I wonder if anyone else is, I use Citrix PS 4.0, and also see Skype traffic, no one is using Skype!

I have a workaround, although it's not ideal. I just changed my Modular Qos *not* to match on protocol, but rather on access list.

!

no ip access-list extended citrix_traffic

!

ip access-list extended citrix_traffic

permit tcp any eq 1494 any

permit tcp any any eq 1494

permit tcp any eq 2598 any

permit tcp any any eq 2598

!

!

class-map match-any citrix

no match protocol citrix

match access-group name citrix_traffic

!

This is now marking citrix traffic as it should do, but it's extremely worrying that NBAR is not doing explicitly what it is told.

There are no port-maps for Skype listed & there seems no way to disable it... thing is I also *want* to be able to classify skype traffic, Cisco really need to pull their finger out here.

p.

I'm also getting a lot of "unknown" traffic, shame it can't show the ports.

NBAR can show "unknown" port traffic, but you have to turn the feature on with debug.

How do I do that, so I will be able to see the unknown traffic?