Documenation Projects Articles
Home Contact
 

Graphing Cisco Systems (NBAR) Network-based application recognition with MRTG:

By: michael earls - 2004-05-11 10:05:39
This article has been read: 19387 times.

Synopsis:
This documentation assumes that you have a version of Cisco IOS that supports the following MIB ciscoNbarProtocolDiscoveryMIB (1.3.6.1.4.1.9.9.244). This documentation assumes that (MRTG) Multi Router Traffic Grapher is installed and working. This documentation assumes that you have SNMP installed and working. This documentation assumes that you have used custom mrtg.cfg files.

What is NBAR?
Network Based Application Recognition is an intelligent classification engine that recognizes applications that are static (which use fixed TCP or UDP port numbers), and stateful (which dynamically assign TCP or UDP port numbers).

The NBAR Protocol Discovery Management Information Base (MIB) expands the capabilities of NBAR Protocol Discovery by providing the following new Protocol Discovery functionalities through SNMP:

What is MRTG?
MRTG consists of a Perl script which uses SNMP to read the traffic counters of your routers and a fast C program which logs the traffic data and creates beautiful graphs representing the traffic on the monitored network connection. These graphs are embedded into webpages which can be viewed from any modern Web-browser.

In addition to a detailed daily view, MRTG also creates visual representations of the traffic seen during the last seven days, the last five weeks and the last twelve months. This is possible because MRTG keeps a log of all the data it has pulled from the router. This log is automatically consolidated so that it does not grow over time, but still contains all the relevant data for all the traffic seen over the last two years. This is all performed in an efficient manner. Therefore you can monitor 200 or more network links from any halfway decent UNIX box.

MRTG is not limited to monitoring traffic, though. It is possible to monitor any SNMP variable you choose. You can even use an external program to gather the data which should be monitored via MRTG. People are using MRTG, to monitor things such as System Load, Login Sessions, Modem availability and more. MRTG even allows you to accumulate two or more data sources into a single graph.

Enable NBAR in IOS:

!
router#
Interface FastEthernet 1/0
Router(config-if)#ip nbar protocol-discovery
!


Test for Supported MIB:

snmpwalk -c COMMUNITY -v2c IPADDRESS 1.3.6.1.4.1.9.9.244
iso.3.6.1.4.1.9.9.244.1.1.1.1.1.1 = INTEGER: 1
iso.3.6.1.4.1.9.9.244.1.1.1.1.1.2 = INTEGER: 2
iso.3.6.1.4.1.9.9.244.1.1.1.1.1.3 = INTEGER: 2
iso.3.6.1.4.1.9.9.244.1.1.1.1.1.4 = INTEGER: 2
iso.3.6.1.4.1.9.9.244.1.1.1.1.2.1 = Timeticks: (1537) 0:00:15.37
iso.3.6.1.4.1.9.9.244.1.1.1.1.2.2 = Timeticks: (0) 0:00:00.00
iso.3.6.1.4.1.9.9.244.1.1.1.1.2.3 = Timeticks: (0) 0:00:00.00
iso.3.6.1.4.1.9.9.244.1.1.1.1.2.4 = Timeticks: (0) 0:00:00.00
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.1 = STRING: "ftp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.2 = STRING: "http"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.3 = STRING: "egp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.4 = STRING: "gre"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.5 = STRING: "icmp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.6 = STRING: "eigrp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.7 = STRING: "ipinip"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.8 = STRING: "ipsec"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.9 = STRING: "bgp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.10 = STRING: "cuseeme"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.11 = STRING: "dhcp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.12 = STRING: "dns"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.13 = STRING: "finger"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.14 = STRING: "gopher"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.15 = STRING: "secure-http"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.16 = STRING: "imap"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.17 = STRING: "secure-imap"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.18 = STRING: "irc"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.19 = STRING: "secure-irc"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.20 = STRING: "kerberos"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.21 = STRING: "l2tp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.22 = STRING: "ldap"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.23 = STRING: "secure-ldap"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.24 = STRING: "sqlserver"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.25 = STRING: "netbios"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.26 = STRING: "nfs"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.27 = STRING: "nntp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.28 = STRING: "secure-nntp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.29 = STRING: "notes"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.30 = STRING: "ntp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.31 = STRING: "pcanywhere"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.32 = STRING: "pop3"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.33 = STRING: "secure-pop3"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.34 = STRING: "pptp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.35 = STRING: "rip"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.36 = STRING: "rsvp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.37 = STRING: "smtp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.38 = STRING: "snmp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.39 = STRING: "socks"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.40 = STRING: "ssh"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.41 = STRING: "syslog"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.42 = STRING: "telnet"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.43 = STRING: "secure-telnet"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.44 = STRING: "secure-ftp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.45 = STRING: "xwindows"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.46 = STRING: "printer"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.47 = STRING: "novadigm"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.48 = STRING: "tftp"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.49 = STRING: "exchange"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.50 = STRING: "vdolive"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.51 = STRING: "sqlnet"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.52 = STRING: "rcmd"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.53 = STRING: "netshow"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.54 = STRING: "sunrpc"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.55 = STRING: "streamwork"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.56 = STRING: "citrix"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.57 = STRING: "napster"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.58 = STRING: "fasttrack"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.59 = STRING: "gnutella"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.60 = STRING: "kazaa2"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.61 = STRING: "custom-01"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.62 = STRING: "custom-02"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.63 = STRING: "custom-03"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.64 = STRING: "custom-04"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.65 = STRING: "custom-05"
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.66 = STRING: "custom-06"


Not Supported MIB in IOS

snmpwalk -c COMMUNITY -v2c IPADDRESS 1.3.6.1.4.1.9.9.244
Cannot find module (IP-MIB): At line 0 in (none)
Cannot find module (IF-MIB): At line 0 in (none)
Cannot find module (TCP-MIB): At line 0 in (none)
Cannot find module (UDP-MIB): At line 0 in (none)
Cannot find module (SNMPv2-MIB): At line 0 in (none)
Cannot find module (SNMPv2-SMI): At line 0 in (none)
Cannot find module (UCD-SNMP-MIB): At line 0 in (none)
Cannot find module (UCD-DEMO-MIB): At line 0 in (none)
Cannot find module (SNMP-TARGET-MIB): At line 0 in (none)
Cannot find module (SNMP-VIEW-BASED-ACM-MIB): At line 0 in (none)
Cannot find module (SNMP-COMMUNITY-MIB): At line 0 in (none)
Cannot find module (UCD-DLMOD-MIB): At line 0 in (none)
Cannot find module (SNMP-FRAMEWORK-MIB): At line 0 in (none)
Cannot find module (SNMP-MPD-MIB): At line 0 in (none)
Cannot find module (SNMP-USER-BASED-SM-MIB): At line 0 in (none)
Cannot find module (SNMP-NOTIFICATION-MIB): At line 0 in (none)
Cannot find module (SNMPv2-TM): At line 0 in (none)
.iso.3.6.1.2.1.1.3.6.1.4.1.9.9.244 = No Such Instance currently exists


Examples from the following output:

snmpget -c COMMUNITY -v2c IPADDRESS 1.3.6.1.4.1.9.9.244.1.2.1.1.2.1.1
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.interface-number.protocol
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1 – FastEthernet 1/0
iso.3.6.1.4.1.9.9.244.1.2.1.1.2.1.1 – FTP Protocol Number


The nbar-internet.cfg file assumes that you are monitoring FastEthernet 1/0. Change this to refelect the interface you are monitoring.
Change public@isp1 to the correct community string and ip address.

Create New Directory:
Create the following directory under mrtg web files.

nbar-internet


Files Created:
The above configuration will create the following files under nbar-internet directory.

fasttrack.log
ftp.log
gnutella.log
h323.log
http.log
https.log
kazaa2.log
napster.log
nntp.log
pop3.log
rstp.log
smtp.log
streamworks.log
vdolive.log


MRTG CFG FILE: (nbar-internet.cfg)
Download nbar-internet.cfg

### Global Config Options
Options[_]: growright,bits
WithPeak[_]: ymw
Xsize[_]: 600
Ysize[_]: 200
Ytics[_]: 10

##
## FTP Traffic Analysis
##
Target[nbar-internet-ftp]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.1&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.1:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.1&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.1:public@isp1:
SetEnv[nbar-internet-ftp]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-ftp]: nbar-internet
MaxBytes[nbar-internet-ftp]: 1000000
Title[nbar-internet-ftp]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-ftp]:

##
## HTTP Traffic Analysis
##
Target[nbar-internet-http]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.2&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.2:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.2&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.2:public@isp1:
SetEnv[nbar-internet-http]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-http]: nbar-internet
MaxBytes[nbar-internet-http]: 1000000
Title[nbar-internet-http]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-http]:

##
## HTTPs Traffic Analysis
##
Target[nbar-internet-https]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.15&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.15:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.15&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.15:public@isp1:
SetEnv[nbar-internet-https]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-https]: nbar-internet
MaxBytes[nbar-internet-https]: 1000000
Title[nbar-internet-https]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-https]:

##
## smtp Traffic Analysis
##
Target[nbar-internet-smtp]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.37&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.37:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.37&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.37:public@isp1:
SetEnv[nbar-internet-smtp]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-smtp]: nbar-internet
MaxBytes[nbar-internet-smtp]: 1000000
Title[nbar-internet-smtp]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-smtp]:

##
## NNTP Traffic Analysis
##
Target[nbar-internet-nntp]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.27&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.27:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.27&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.27:public@isp1:
SetEnv[nbar-internet-nntp]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-nntp]: nbar-internet
MaxBytes[nbar-internet-nntp]: 1000000
Title[nbar-internet-nntp]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-nntp]:

##
## vdolive Traffic Analysis
##
Target[nbar-internet-vdolive]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.50&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.50:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.50&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.50:public@isp1:
SetEnv[nbar-internet-vdolive]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-vdolive]: nbar-internet
MaxBytes[nbar-internet-vdolive]: 1000000
Title[nbar-internet-vdolive]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-vdolive]:

##
## streamworks Traffic Analysis
##
Target[nbar-internet-streamworks]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.55&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.55:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.55&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.55:public@isp1:
SetEnv[nbar-internet-streamworks]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-streamworks]: nbar-internet
MaxBytes[nbar-internet-streamworks]: 1000000
Title[nbar-internet-streamworks]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-streamworks]:

##
## napster Traffic Analysis
##
Target[nbar-internet-napster]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.57&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.57:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.57&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.57:public@isp1:
SetEnv[nbar-internet-napster]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-napster]: nbar-internet
MaxBytes[nbar-internet-napster]: 1000000
Title[nbar-internet-napster]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-napster]:

##
## fasttrack Traffic Analysis
##
Target[nbar-internet-fasttrack]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.58&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.58:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.58&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.58:public@isp1:
SetEnv[nbar-internet-fasttrack]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-fasttrack]: nbar-internet
MaxBytes[nbar-internet-fasttrack]: 1000000
Title[nbar-internet-fasttrack]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-fasttrack]:

##
## gnutella Traffic Analysis
##
Target[nbar-internet-gnutella]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.59&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.59:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.59&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.59:public@isp1:
SetEnv[nbar-internet-gnutella]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-gnutella]: nbar-internet
MaxBytes[nbar-internet-gnutella]: 1000000
Title[nbar-internet-gnutella]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-gnutella]:

##
## kazaa2 Traffic Analysis
##
Target[nbar-internet-kazaa2]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.60&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.60:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.60&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.60:public@isp1:
SetEnv[nbar-internet-kazaa2]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-kazaa2]: nbar-internet
MaxBytes[nbar-internet-kazaa2]: 1000000
Title[nbar-internet-kazaa2]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-kazaa2]:

##
## H323 Traffic Analysis
##
Target[nbar-internet-h323]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.75&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.75:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.75&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.75:public@isp1:
SetEnv[nbar-internet-h323]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-h323]: nbar-internet
MaxBytes[nbar-internet-h323]: 1000000
Title[nbar-internet-h323]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-h323]:

##
## rstp Traffic Analysis
##
Target[nbar-internet-rstp]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.71&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.71:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.71&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.71:public@isp1:
SetEnv[nbar-internet-rstp]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-rstp]: nbar-internet
MaxBytes[nbar-internet-rstp]: 1000000
Title[nbar-internet-rstp]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-rstp]:

##
## pop3 Traffic Analysis
##
Target[nbar-internet-pop3]:
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.32&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.32:public@isp1 +
1.3.6.1.4.1.9.9.244.1.2.1.1.5.1.32&1.3.6.1.4.1.9.9.244.1.2.1.1.6.1.32:public@isp1:
SetEnv[nbar-internet-pop3]: MRTG_INT_IP="" MRTG_INT_DESCR=""
Directory[nbar-internet-pop3]: nbar-internet
MaxBytes[nbar-internet-pop3]: 1000000
Title[nbar-internet-pop3]: Cisco Nbar Protocol Analysis
PageTop[nbar-internet-pop3]:












Additional References:
Cisco IOS images that support CISCO-NBAR-PROTOCOL-DISCOVERY-MIB MIB.
[...]

Network-Based Application Recognition and Distributed Network-Based Application Recognition:
[...]


Network-Based Application Recognition Protocol Discovery Management Information Base:
[...]

 
     

Copyright (c) 2008 Vermeer.org. All rights reserved.