NBAR classifies only established sessions

Network Based Application Recognition (NBAR) is used on Cisco IOS routers to perform payload inspection which involves deep packet inspection.  Instead of just looking at information found at Layers 2, 3, and 4, the router will look at the contents of the payload and will recognize the application. Thus packets can be classified based on the application that is running.

Thus, in the case of a TCP session, such as those created when using Telnet or SSH, NBAR will not classify any packets until the session is established.

For example, if any Telnet or SSH attempt fails, no classification will take place, because no actual Telnet or SSH information has been exchanged. NBAR's deep packet inspection on the TCP handshake will not identify those packets as belonging to Telnet or SSH, thus it will not classify them.


Links to this page: