Network Based Application Recognition: Difference between revisions

Browse history interactively

Content deleted Content added

VisualWikitext

Revision as of 21:37, 4 February 2004 edit 217.233.225.212 (talk) automatically recognize dataflow-types by the looks of the first packet.		Latest revision as of 13:04, 15 April 2025 edit undo Aoidh (talk \| contribs) Autopatrolled, Checkusers, Oversighters, Administrators 59,283 edits Undid revision 1285706095 by Mike Holand102 (talk) Refspam Tag: Undo
(34 intermediate revisions by 29 users not shown)
Line 1: '''Network Based Application Recognition''' (NBAR)<ref>[https://web.archive.org/web/20050924161229/http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm NBAR defined at Cisco website]</ref> is the mechanism used by some [[Cisco]] [[Router (computing)\|router]]s and [[Network switch\|switches]] to recognize a [[Traffic_flow_(computer_networking)\|dataflow]] by inspecting some [[packet (information technology)\|packets]] sent. ~~Network Based Application Recognition~~ The [[Computer network\|networking]] equipment which uses NBAR does a [[deep packet inspection]] on some of the packets in a dataflow, to determine which traffic category the flow belongs to. Used in conjunction with other features, it may then program the internal [[application-specific integrated circuits]] (ASICs) to handle this flow appropriately. The categorization may be done with [[Application_layer\|Open Systems Interconnection (OSI) layer 4]] info, packet content, signaling, and so on but some new applications have made it difficult on purpose to cling to this kind of tagging.<ref>[[BitTorrent protocol encryption\|BitTorrent Encryption and Obfuscation]]</ref> ~~available in Cisco networking equipment (maybe in other companies' equipment too, but I don't know other equpments and it will surely have another name.. sorry).~~ The NBAR approach is useful in dealing with malicious [[software]] using known [[TCP and UDP port\|ports]] to fake being "priority traffic", as well as non-standard applications using dynamic ports.<ref>''[http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml Using Network-Based Application Recognition and ACLs] for Blocking the "Code Red" Worm'', Cisco.</ref> That's why NBAR is also known as [[OSI layer 7]] categorization. ~~It is the mechanism to recognize a dataflow by the first packet sent. (IMHO)~~ On Cisco routers, NBAR is mainly used for [[quality of service]] and [[network security]] purposes. AFAIK the networking equipment takes a close look at the first packet of each dataflow (IP connection etc..) and decides what to do with the packet and all other packtes of the flow. then it programmes the internal [[ASIC]]s to handle this flow appropriatly. usually the categorisation is done with OSI-layer4 info at most (IP protocol and port), but new applications have made it difficult to cling to this kind of tagging. ==References== ~~malicious software using known ports to fake being "priority traffic" (such as TCP port 80 for HTTP) or non-standard apps using non-determinaly ports have made the NBAR approach useful.~~ {{reflist}} == External links == the networking equipment does a [[deep packet inspection]] on the first packet, to determin the kind of traffic cathegory the packet belongs to, using a NBAR profile. based on this cathegory the complete flow can be put into low or high prio classes and thus assigned to queues. [http://whitepapers.zdnet.co.uk/0,39025945,60105500p-39000590q,00.htm ''Network Based Application Recognition: RTP Payload Classification''], Cisco. [http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080ac3082.shtml ''Block P2P Traffic on a Cisco IOS Router using NBAR Configuration Example''], Cisco. [[Category:Computer network security]] ~~dont beat me up, if this is wrong.<br>~~ ~~more info at CCO: http://www.cisco.com~~ {{compu-network-stub}}