Bittorrent is getting around Cisco Nbar

Half my of my DS3 bit rate is unknown with nbar protocol-discovery. I know this traffic is bittorrent is there any think else I can to rate limit it with Cisco? Or do I need to look at a different product? The problem is that cisco nbar is not seeing the bittorent.




Cisco 3845 with Version 12.4(21a)

class-map match-any P2P
match protocol bittorrent
match protocol gnutella
match protocol edonkey
match protocol kazaa2
match protocol fasttrack
match protocol directconnect
match protocol winmx
match protocol custom-01
!
!
policy-map P2P
class P2P
police cir 40000
conform-action transmit
exceed-action drop
violate-action drop







giga 0/0 is the network side
giga 0/1 internet side

The setup is all correct.

sh policy-map int giga 0/1
GigabitEthernet0/1

Class-map: P2P (match-any)
3094246 packets, 405621021 bytes
5 minute offered rate 84000 bps, drop rate 44000 bps
Match: protocol bittorrent
2012067 packets, 323545868 bytes
5 minute rate 59000 bps
Match: protocol gnutella
50716 packets, 10618062 bytes
5 minute rate 4000 bps
Match: protocol edonkey
1016563 packets, 68773980 bytes
5 minute rate 20000 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol fasttrack
209 packets, 26453 bytes
5 minute rate 0 bps
Match: protocol directconnect
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol winmx
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol custom-01
14690 packets, 2656604 bytes
5 minute rate 0 bps
police:
cir 40000 bps, bc 1500 bytes, be 1500 bytes
conformed 2539939 packets, 198667831 bytes; actions:
transmit
exceeded 17316 packets, 3979007 bytes; actions:
drop
violated 536991 packets, 202974183 bytes; actions:
drop
conformed 39000 bps, exceed 0 bps, violate 44000 bps

Class-map: class-default (match-any)
61657129 packets, 25490943500 bytes
5 minute offered rate 4702000 bps, drop rate 0 bps
Match: any





interface GigabitEthernet0/1
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
no ip mroute-cache
duplex full
speed 100
media-type rj45
no cdp enable
no mop enabled
service-policy output P2P



show ip nbar protocol-discovery stats bit-rate top-n 10

GigabitEthernet0/1
Input Output
----- ------
Protocol 5min Bit Rate (bps) 5min Bit Rate (bps)
------------------------ ------------------------ ------------------------
http 30624000 923000
bittorrent 1185000 69000
edonkey 985000 23000
secure-http 237000 92000
rtsp 239000 4000
smtp 41000 127000
h323 98000 3000
dns 36000 11000
novadigm 0 31000
secure-pop3 21000 3000
unknown 5217000 3592000
Total 38725000 4888000
bobertperryAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MysidiaCommented:
It may be encrypted BitTorrent traffic which defeats NBAR.

There may be other products/methods like SCE / NetEnforcer / Sandvine
that can deal with Encrypted  BitTorrent traffic.

I would suggest using NBAR to rate-limit unencrypted bittorrent traffic,
and take other measures to  ban/penalize any hosts participating in encrypted bittorrent traffic.

http://en.wikipedia.org/w/index.php?title=BitTorrent_protocol_encryption&oldid=249182890
0
QuoriCommented:
Drop all non-http traffic and you're set. :)
0
MysidiaCommented:
Until they start using port 80 for bittorrent traffic...

You need to actually analyze the port 80 traffic somehow to make sure it's actually HTTP and the 'CONNECT'  method isn't being used
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

bobertperryAuthor Commented:
Sadness.  I thought for some reason NBAR did analyze each packet.  Do you guys know anything about http://www.lowth.com/rope/BlockingBittorrent   Think I could use that but not block, just rate limit? preferably just the upload?
Rob
0
akahanCommented:
NBAR DOES analyze each packet...but if a packet is encrypted, NBAR can't tell what it is, so the analysis doesn't give you a useful result for encrypted packets.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MysidiaCommented:
With Linux and Rope  you can change the rule from  -j DROP
to apply a custom chain.

But if the bittorrent traffic isn't encrypted,  Cisco NBAR  should be perfectly capable of  identifying it.

If the setup packet is encrypted, that Rope script isn't going to identify the ccommunication as BitTorrent.
0
bernoulliCommented:
I have similar problem and would like to get help for the same problem of encrypted BitTorrent.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.