04-14-2009 02:03 AM - edited 03-06-2019 05:09 AM
Hi,
We ran nbar last time to check out flows in our network.There were some unknown protocols registered,any idea what are they composed of?there are counts for edonkey & kerberos as well, are they harmful & how to tackle them?
The output gives the 5 min bit rate alongwith byte count, which means the count would vary as time passes off,so end of the day wouldnt these be basically average readings & what does Max bit rate & 5min bit rate differ on?
Thanks.
Solved! Go to Solution.
04-14-2009 06:12 AM
Please refer to the documentation on how to read the show ip cache verbose flow output
http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_02.html#wp1013892
The port information is there :)
__
Edison.
04-14-2009 04:36 AM
"There were some unknown protocols registered,any idea what are they composed of?"
There's a debug NBAR option that can futher "break out" the unknowns (stats by port numbers). (NB: don't recall the actual command.)
"there are counts for edonkey & kerberos as well, are they harmful & how to tackle them?"
Whether they're harmful and what to do about them is up to you. One common concern is their usage of bandwidth. If this is problem for you, you can block them, rate limit them, deprioritze them, etc. (BTW, I found some NBAR matching not always accurate. You need to know the actual criteria being used by NBAR for specific "protocols". Sometimes it's just port matching, and it could be other traffic.)
04-14-2009 05:34 AM
To further identify the hosts using some of the protocols, would it be fine by creating an acl (deny or permit)& enabling log-input option.
How do we actually interpret the packet count that are given..like can we get the size of the protocol in MBytes & how is the bit rate summed up.
Thanks.
04-14-2009 06:01 AM
Sunny,
I recommend configuring NetFlow instead.
NetFlow will display the port being used by the src/dst.
__
Edison.
04-14-2009 06:05 AM
Thanks,I also viewed sh ip cache flow which shows me src/des alongwith protocols like tcp/udp but not particular ports.
Is that the same thing.
04-14-2009 06:12 AM
Please refer to the documentation on how to read the show ip cache verbose flow output
http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_02.html#wp1013892
The port information is there :)
__
Edison.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide