NBAR Question

elegua

Hi Guys,

My questions is if NBAR will recognize Bittorrent traffic that is using another port?

ex: when i run this cmd: sh ip nbar port-map i got this:

port-map bittorrent tcp 6969 6881 6882 6883 6884 6885 6886 6887 6888 6889

if bittorrent is running using ex: 6346 will nbar detected it or it will only discovered traffic using those map ports assigned to bittorrent?

Thanks in advance.

marlon23

bittorrent is identified by heuristics by IOS, so after handshake if first packet payload contains bittorrent patterns the flow is identified as bittorrent protocol flow. So yes, if not encrypted, fragmented, etc. it will be identified

elegua

marlon23 wrote: »

bittorrent is identified by heuristics by IOS, so after handshake if first packet payload contains bittorrent patterns the flow is identified as bittorrent protocol flow. So yes, if not encrypted, fragmented, etc. it will be identified

Hi marlon23,

Thanks you for confirmed me this, i read about the encrypted traffic but i wasn't sure if traffic is recognized if bittorrent uses another port, also thank you for your explanation in how nbar works in this case that i guess it uses the same pattern for every traffic, isn't it?.

Thank you.

chrisone

IP NBAR will also track these applications that use random port numbers with the latest PDLM under the "FastTrack" category.

It is best used in a class map(identify traffic), policy map (What to do with the traffic), then apply to an interface.