Bittorrent is getting around Cisco Nbar

Posted on 2008-11-13
1 Ratings
Last Modified: 2012-05-05
Half my of my DS3 bit rate is unknown with nbar protocol-discovery. I know this traffic is bittorrent is there any think else I can to rate limit it with Cisco? Or do I need to look at a different product? The problem is that cisco nbar is not seeing the bittorent.

Cisco 3845 with Version 12.4(21a)

class-map match-any P2P
match protocol bittorrent
match protocol gnutella
match protocol edonkey
match protocol kazaa2
match protocol fasttrack
match protocol directconnect
match protocol winmx
match protocol custom-01
policy-map P2P
class P2P
police cir 40000
conform-action transmit
exceed-action drop
violate-action drop

giga 0/0 is the network side
giga 0/1 internet side

The setup is all correct.

sh policy-map int giga 0/1

Class-map: P2P (match-any)
3094246 packets, 405621021 bytes
5 minute offered rate 84000 bps, drop rate 44000 bps
Match: protocol bittorrent
2012067 packets, 323545868 bytes
5 minute rate 59000 bps
Match: protocol gnutella
50716 packets, 10618062 bytes
5 minute rate 4000 bps
Match: protocol edonkey
1016563 packets, 68773980 bytes
5 minute rate 20000 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol fasttrack
209 packets, 26453 bytes
5 minute rate 0 bps
Match: protocol directconnect
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol winmx
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol custom-01
14690 packets, 2656604 bytes
5 minute rate 0 bps
cir 40000 bps, bc 1500 bytes, be 1500 bytes
conformed 2539939 packets, 198667831 bytes; actions:
exceeded 17316 packets, 3979007 bytes; actions:
violated 536991 packets, 202974183 bytes; actions:
conformed 39000 bps, exceed 0 bps, violate 44000 bps

Class-map: class-default (match-any)
61657129 packets, 25490943500 bytes
5 minute offered rate 4702000 bps, drop rate 0 bps
Match: any

interface GigabitEthernet0/1
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
no ip mroute-cache
duplex full
speed 100
media-type rj45
no cdp enable
no mop enabled
service-policy output P2P

show ip nbar protocol-discovery stats bit-rate top-n 10

Input Output
----- ------
Protocol 5min Bit Rate (bps) 5min Bit Rate (bps)
------------------------ ------------------------ ------------------------
http 30624000 923000
bittorrent 1185000 69000
edonkey 985000 23000
secure-http 237000 92000
rtsp 239000 4000
smtp 41000 127000
h323 98000 3000
dns 36000 11000
novadigm 0 31000
secure-pop3 21000 3000
unknown 5217000 3592000
Total 38725000 4888000
Question by:bobertperry
    LVL 23

    Expert Comment

    It may be encrypted BitTorrent traffic which defeats NBAR.

    There may be other products/methods like SCE / NetEnforcer / Sandvine
    that can deal with Encrypted  BitTorrent traffic.

    I would suggest using NBAR to rate-limit unencrypted bittorrent traffic,
    and take other measures to  ban/penalize any hosts participating in encrypted bittorrent traffic.
    LVL 13

    Expert Comment

    Drop all non-http traffic and you're set. :)
    LVL 23

    Expert Comment

    Until they start using port 80 for bittorrent traffic...

    You need to actually analyze the port 80 traffic somehow to make sure it's actually HTTP and the 'CONNECT'  method isn't being used

    Author Comment

    Sadness.  I thought for some reason NBAR did analyze each packet.  Do you guys know anything about   Think I could use that but not block, just rate limit? preferably just the upload?
    LVL 26

    Accepted Solution

    NBAR DOES analyze each packet...but if a packet is encrypted, NBAR can't tell what it is, so the analysis doesn't give you a useful result for encrypted packets.
    LVL 23

    Expert Comment

    With Linux and Rope  you can change the rule from  -j DROP
    to apply a custom chain.

    But if the bittorrent traffic isn't encrypted,  Cisco NBAR  should be perfectly capable of  identifying it.

    If the setup packet is encrypted, that Rope script isn't going to identify the ccommunication as BitTorrent.

    Expert Comment

    I have similar problem and would like to get help for the same problem of encrypted BitTorrent.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    Title # Comments Views Activity
    Sonicwall site to site VPN 10 62
    Cisco USB Device Setup 8 39
    Cisco WLC 2504 & Netgear gs724T 28 30
    RCA to HDMI 4 42
    Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
    Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now