asked on

Cisco NBAR Protocol Discovery Question

Hi All

i have a router that is runing NBAR Protocol Discovery and it is showing that there is a large amount of edonkey traffic going through the router is there anyway i can find out what ip the edonkey traffic is coming from?

many thanks

zwart072

if you are using also nat, you can use the command "show ip nat translations" you can see all the connections on which ports are made on source and also destination ip adresses/ port numbers

JAMESBALL

ASKER

i have tryed this but i think the nbar is picking the data up by looking at the application data so i not sure which port it is using i am guessing it maybe tunneling through port 80

zwart072

If you can't see which port it is using, you can use nbar to block the edonkey traffic.
See also http://www.cisco.com/go/nbar

JAMESBALL

ASKER

aye i was tempted to try it and see if any one moaned would like to see if can track down the miss guided user.....

that1guy15

NBAR is only going to classify this traffic and allow you to do with it how you like. If you want more details of the traffic then you would need to setup and monitor NetFlow.

But i agree, the simplest way would be to just block the traffic and wait for the person to complain.

JAMESBALL

ASKER

do you know if netflow will show protocols like nbar does? i never used netflow before

ASKER CERTIFIED SOLUTION

that1guy15

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

JAMESBALL

ASKER

thats great thanks for your help

JAMESBALL

ASKER

I found the traffic but is saying it is kazaa traffic on port 1214 between a workstation and the exchange server anyone seen that before??

that1guy15

Hmmm this traffic should be showing up going out your edge router.

Check your exchange server to see if it is actually making a connection with the workstation.