NBAR classifies only established sessions
Network Based Application Recognition (NBAR) is used on Cisco IOS routers to perform payload inspection which involves deep packet inspection. Instead of just looking at information found at Layers 2, 3, and 4, the router will look at the contents of the payload and will recognize the application. Thus packets can be classified based on the application that is running.
For example, if any Telnet or SSH attempt fails, no classification will take place, because no actual Telnet or SSH information has been exchanged. NBAR's deep packet inspection on the TCP handshake will not identify those packets as belonging to Telnet or SSH, thus it will not classify them.