NBAR and HTTP Traffic Classification

When I was thinking of next blog, I got an idea to do a deeper study on NBAR traffic classification and share some valuables over here. In this blog, I am going to concentrate on some Advanced section of NBAR classifications.

NBAR (Network Based Application Recognization):

NBAR is a Cisco technology, is an intelligent classification engine in Cisco IOS Software that can
recognize web based applications and client/server applications by doing a deep packet inspection. Classification of traffic by NBAR is done by doing a deep packet inspection for each packet as defined in the PDLM for the application (PDLMs contain the rules used by NBAR to recognize an application and is defined by Cisco) and not on the port information in the packets. By this deep packet inspection, NBAR can identify applications that use dynamic ports as well (eg: bit torrent or VoIP and etc). To know more about NBAR, click here

Benefits of Using NBAR:

Before Implementing QoS(Quality of Service) on the network, The first step for Administrators is to
identify and classify network traffic. It will be very easy task for administrator to implement QoS after identifying the variety of applications and protocols that are running on a network.

With NBAR administrator can see how much traffic is generated by each protocol, then users can specify classes for each traffic which can provide different level of service on the network traffic. Hence, NBAR helps administrator for better network management.

Following are the benefits using NBAR:

  • Identifying Applications and Protocol from Layer 4 to Layer 7
  • Identifying Random Port Application(Like Skype, Edonkey).

  • Can also identify Non TCP/UDP IP protocol.

  • Deep packet analysis or Sub port application

HTTP Traffic Classification using NBAR:

HTTP traffic can be classified in various different ways using NBAR, they are:

  • HTTP Traffic classification by URL Host, or MIME
  • HTTP Traffic Classification Using the HTTP Header Fields
  • Combinations of HTTP Headers and URL, Host, or MIME Type to Identify HTTP Traffic

HTTP Traffic classification by URL, Host, or MIME

With Regular NetFlow export, The Application Traffic is classified based on port and protocol. Whereas NBAR can go beyond TCP/UDP ports and perform deeper analysis on the traffic payload to classify packets based on that, this is called Deep packet analysis or Subport classification.

An example for Subport classification is HTTP traffic by URL, host, or Multipurpose Internet Mail Extension (MIME) type .

URL Classification:-

NBAR classifies HTTP traffic by text within the URL or host fields of a request using regular expression matching. HTTP client request matching in NBAR supports most HTTP request methods such as GET, PUT, HEAD, POST, DELETE, OPTIONS, CONNECT, and TRACE. The NBAR engine then converts the specified match string into a regular expression.

It uses Regular expression matching to classify HTTP traffic by text within the URL or Host fields. It
supports most HTTP Request method like (GET, PUT, HEAD, POST, DELETE, OPTIONS, CONNECT, and TRACE). NBAR then converts the specified match string into a regular expression.

When specifying URL for classification, Specify only part of the URL after Domain.


The URL, include only /products/netflow/netflow-features.html, with the match statement.

match protocol http url/products/netflow/netflow-features.html

Classification Based On Host :-

This is similar to URL classification, NBAR performs a regular expression match on the host field contents inside an HTTP packet and classifies all packets from that host.

Example :-

In the below given URL, it perform match as follows

match protocol http url

Classification of HTTP Traffic using Header Fields:

HTTP traffic is based on Client/Server Model, The client sends a request to the server and the sends a
response packet to the client and closes the connection after delivering the response.

NBAR can identify Header Fields on the HTTP request and Response and classifies the traffic.

NBAR can classify the following HTTP header fields:

HTPP Request Header Fields:-

  • User-Agent

  • Referer

  • From

HTTP Response:-

  • Server

  • Location

  • Content-Base

  • Content-Encoding

match protocol http c-header-field is used to recognize Clients Request message and match protocol http s-header-field is used to recognize Server HTTP client response message.

You can also classify the HTTP traffic using the combination of URL, HOST and Header Fields for based on your requirement, this can provide more flexibility when classifying HTTP traffic.

So using the NBAR HTTP traffic classification, network administrator can find out how much traffic
is being utilized by each URL. Based on the traffic utilization, he can set some QoS policies to prioritize or limit the bandwidth for certain URL’s. You can visit the this blog to know how to configure QoS policies.

Praveen Kumar
NetFlow Analyzer
Technical Team

Download | Twitter |

You Can Learn More About the ManageEngine Product Line By Going to

The original article/video can be found at NBAR and HTTP Traffic Classification

About the Author: Shannon Lewis

Leave a Reply Cancel reply