Flexible NetFlow NBAR2 with URLs and Caller ID
Posted in IPFIX, NetFlow, NetFlow Analyzer on February 16th, 2011 by NewsTrax
I recently learned that Cisco is planning to have integration with DPI (Deep Packet Inspection). What does this mean to your NetFlow collector and NetFlow Analyzer? More good stuff!
Seriously, it means more information on the applications on your network. What good is a NetFlow Reporting tool that only tells you the application is ‘HTTP’ (i.e. port 80)? Many applications today are using port 80 and a whole slew of others use random ports. This is a real problem for NetFlow monitoring tools because there often isn’t enough information in the traditional NetFlow v5 tuple to determine the actual application (e.g. skype, BitTorrent, H.323, GoToMeeting, etc.). It has to be done by the hardware or software that exports the IPFIX or NetFlow information.
Below is a screen capture of our BETA support for the SonicWALL IPFIX exports. You can click on any of the applications below to find out who is sending this data. When applicable, even the URLs involved with a flow can be accessed.
Application recognition requires deep packet inspection and hardware vendors like Cisco and SonicWALL are already exporting flows that are associated with layer 7.
Some of the information Cisco plans to export in NBAR2 includes:
• HTTP Reports (e.g. Hostnames and URLs)
• SIP Reports (e.g. Calling Id, Caller Id)
The above is expected to be available in 15.0(1)M on the Cisco ISR-G2. This is an exciting advancement in the NetFlow industry. I hope that the folks behind the sFlow technology are thinking about similar exports. Below is a screen capture of the new SonicWALL VoIP report which includes Caller ID:
If you’re a hardware or software company looking to support Deep Packet Inspection, contact us for IPFIX consulting. We want to work with you.
BTW: If you are a company that is going to implement DPI, export the data using IPFIX. Even Cisco will eventually move away from NetFlow as the transport. I can’t reveal my sources…
~FlowFest 2011 – Advanced NetFlow Training
Tags: deep packet inspection, ipfix consulting, NBAR, NBAR2, NetFlow Analyzer, NetFlow Collector, netflow voip, sonicwall ipfix, Sonicwall netflow
do you have a list of vendors that this is going to work with? This looks pretty slick I might be able to get my boss to spring for it if we have compatible hardware.
Currently nBox from Ravica.com and the Sonicwall export URLs via IPFIX (NetFlow). I know Cisco has plans, but I don’t know when. I don’t know of any other vendors.
You mention above that you believe “HTTP Reports (e.g. Hostnames and URLs)” would be included in NBAR2 on IOS version15.0(1)M. Do you know if this has been included?
We just recently got a Cisco 881 with IOS 15.0(1)M4, and networking engineer and I have been trying to figure out if a) the router supports URL export via netflow, and b) how we would configure it.
Thanks.
Hi Jason,
Cisco has not released support for exporting URLs with NetFlow yet. The only two vendors that have are nBox and SonicWALL. Cisco’s Performance Monitoring with NetFlow exports latency details on TCP connections as well as jitter and packet loss details on RTP. Great stuff and remember, you need another license key from plixer to enable the Medianet reports on these new exports from Cisco.
[...] suspiciously like a typical peer to peer application. For this reason, I suggest enabling Cisco NBAR2 on your routers as it will accurately decode Skype connections from the plethora of other [...]