When I was thinking of next blog, I got an idea to do a deeper study on NBAR traffic classification and share some valuables over here. In this blog, I am going to concentrate on some Advanced section of NBAR classifications.
NBAR (Network Based Application Recognization):
NBAR is a Cisco technology, is an intelligent classification engine in Cisco IOS Software that can
recognize web based applications and client/server applications by doing a deep packet inspection. Classification of traffic by NBAR is done by doing a deep packet inspection for each packet as defined in the PDLM for the application (PDLMs contain the rules used by NBAR to recognize an application and is defined by Cisco) and not on the port information in the packets. By this deep packet inspection, NBAR can identify applications that use dynamic ports as well (eg: bit torrent or VoIP and etc). To know more about NBAR, click here
Benefits of Using NBAR:
Before Implementing QoS(Quality of Service) on the network, The first step for Administrators is to
identify and classify network traffic. It will be very easy task for administrator to implement QoS after identifying the variety of applications and protocols that are running on a network.
With NBAR administrator can see how much traffic is generated by each protocol, then users can specify classes for each traffic which can provide different level of service on the network traffic. Hence, NBAR helps administrator for better network management.
Following are the benefits using NBAR:
- Identifying Applications and Protocol from Layer 4 to Layer 7
Identifying Random Port Application(Like Skype, Edonkey).
Can also identify Non TCP/UDP IP protocol.
Deep packet analysis or Sub port application
HTTP Traffic Classification using NBAR:
HTTP traffic can be classified in various different ways using NBAR, they are:
- HTTP Traffic classification by URL Host, or MIME
- HTTP Traffic Classification Using the HTTP Header Fields
- Combinations of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic
HTTP Traffic classification by URL, Host, or MIME
With Regular NetFlow export, The Application Traffic is classified based on port and protocol. Whereas NBAR can go beyond TCP/UDP ports and perform deeper analysis on the traffic payload to classify packets based on that, this is called Deep packet analysis or Subport classification.
An example for Subport classification is HTTP traffic by URL, host, or Multipurpose Internet Mail Extension (MIME) type .
NBAR classifies HTTP traffic by text within the URL or host fields of a request using regular expression matching. HTTP client request matching in NBAR supports most HTTP request methods such as GET, PUT, HEAD, POST, DELETE, OPTIONS, CONNECT, and TRACE. The NBAR engine then converts the specified match string into a regular expression.
It uses Regular expression matching to classify HTTP traffic by text within the URL or Host fields. It
supports most HTTP Request method like (GET, PUT, HEAD, POST, DELETE, OPTIONS, CONNECT, and TRACE). NBAR then converts the specified match string into a regular expression.
When specifying URL for classification, Specify only part of the URL after Domain.
http://www.manageengine.com/products/netflow/netflow-features.html, include only /products/netflow/netflow-features.html, with the match statement.
match protocol http url/products/netflow/netflow-features.html
Classification Based On Host :-
This is similar to URL classification, NBAR performs a regular expression match on the host field contents inside an HTTP packet and classifies all packets from that host.
In the below given URL, it perform match as follows
match protocol http url
Classification of HTTP Traffic using Header Fields:
HTTP traffic is based on Client/Server Model, The client sends a request to the server and the sends a
response packet to the client and closes the connection after delivering the response.
NBAR can identify Header Fields on the HTTP request and Response and classifies the traffic.
NBAR can classify the following HTTP header fields:
HTPP Request Header Fields:-
match protocol http c-header-field is used to recognize Clients Request message and match protocol http s-header-field is used to recognize Server HTTP client response message.
You can also classify the HTTP traffic using the combination of URL, HOST and Header Fields for based on your requirement, this can provide more flexibility when classifying HTTP traffic.
So using the NBAR HTTP traffic classification, network administrator can find out how much traffic
is being utilized by each URL. Based on the traffic utilization, he can set some QoS policies to prioritize or limit the bandwidth for certain URL’s. You can visit the this blog to know how to configure QoS policies.
The original article/video can be found at NBAR and HTTP Traffic Classification