Network-Based Application Recognition (NBAR) reveals a more accurate picture of traffic that is active on your network. NBAR Protocol Discovery leverages deep packet inspection performed at the router. NBAR looks at the packets being transferred (not just the port they use) to determine their ultimate protocol and help indicate their purpose.

Note: Class Based Quality of Service (CBQoS) metrics reflect a policy or priority given to certain types of traffic (usually time-sensitive traffic such as video or voice) by rules set at the router. These rules rely on NBAR classification.

Advantages to using NBAR traffic classification include:

  • Identify non-conforming traffic. Unexpected or masquerading traffic can use well-known ports (a port reserved by the IETF standards body for a specific protocol). Port use does not guarantee the actual packet data is legitimate, so this makes packet inspection with NBAR necessary.
  • Identify random use of UDP and TCP. Many legitimate application sessions (application level protocols) spawn UDP or TCP connections, and these connections use the next available port within a given port range. Packet inspection reveals the detailed protocol leveraging UDP or TCP.
  • A clearer picture of mixed data. Revealing the underlying protocol that's used enables you to understand which traffic can be given priority (audio, video, and time sensitive data transfer) over others (bulk file upload, for example) while giving you insights into organizational trends, user trends, and organizational behavior.
Tip: NBAR classification is available on most Cisco routers.

Polled NBAR Statistics versus Statistics Embedded in Rich NetFlow Summaries

Using the NTA Sources library, there are two different ways to get NBAR reporting from NTA.

Method for Gathering NBAR Statistics

Requirements

Embedded. Get NBAR statistics from a stream of NetFlow traffic summaries.

Embedded yields a rich NBAR Application - Flow Details report. This means that NBAR data is delivered with observed traffic data NetFlow measurements. This adds meaning and context to what the NBAR packet inspection reveals and enables you to pivot through all aspects of the NetFlow data that interest you.

Automatic if enabled at a source device configured for Flexible NetFlow.

NetFlow source is listed in NTA Sources Library as Enabled and Receiving Flows with NBAR Embedded listed as Embedded.

Polled. Use SNMP to poll a device for NBAR metrics related to the traffic observed at the source.

This is essentially a summary or breakdown of application packets seen use at the observation point (in other words the switch, router, or other enabled NBAR source).

Yields NBAR Applications - Interface Totals report.

Device must be added to NTA Sources Library.

  • Appropriate SNMP credentials are selected for polling.
  • Poll Source for NBAR traffic is selected.

Gather NBAR/CBQoS Statistics through Polling

To add Polled NBAR classification gathering to an NTA source:

  1. Select Network Traffic Analysis > NTA Sources from the SETTINGS main menu item to launch the NTA Source Library.
  2. Click the Add icon, then choose NBAR/CBQoS Polling Source from the options displayed to launch the Flow Source dialog.
  3. Enter the following:
    • Source IP. The IP address of the flow source device.
    • Display Name. (Optional.) Name to display in source and NTA reports.
  4. Use the toggle provided to Enable data collection from this source.
  5. Select the SNMP Credentials from the drop-down list provided. WhatsUp Gold NTA queries the source device for interface information. The dialog displays known network interfaces for the current device.
  6. Use the checkboxes provided to indicate what data NTA should request from the source.
    • Poll source for interface traffic. Select this option to enable the device as an SNMP statistics source for NTA.
    • Poll source for NBAR statistics. Select this option to enable gathering NBAR classification totals by way of SNMP. Please note, for Flexible NetFlow and other cases where NBAR is already embedded, enabling NBAR collection here is not necessary.
    • Poll source for CBQoS statistics. Select this option to enable statistics gathering related to CBQoS policies. Please note, QoS classes and policies need to be defined on the source device for meaningful report data.
  7. Select the Access rights tab to set access rights to flow data from the source.
    Note: If you do not have permissions to manage users, Access rights button is not accessible.
  8. Interfaces. Select one or more interfaces,then click Display or Hide to have traffic included in source metrics.
  9. Click Save.

Check the NBAR Applications - Interface Totals report to ensure flow data is received by WhatsUp Gold.