With the barrage of applications today sharing similar behavior characteristics at the protocol level, it becomes necessary to take deep packet inspection steps to determine what the actual application is that is causing the traffic. Thankfully, Cisco already does this for us with something called Network-Based Application Recognition (NBAR) . We explained NBAR support in a recent blog and how it allows us to improve on network traffic analysis.
Once you enable NBAR exports with NetFlow you will notice that since it supports Flexible NetFlow, a few different templates get kicked out.
One of the templates seen below kicks out all of the applications NBAR is performing deep packet inspection for:

Notice above that the pagination is showing only the first 25 of 24 pages! Another template kicked out by NBAR NetFlow is the actual flows with the new “NBAR Application” field. These are the flows that we use for our reporting as shown below:

Cisco allows us to define NBAR Applications using Packet Description Language Modules (PDLM). They are built to match on unclassified traffic or traffic that is not specifically supported as a match protocol statement. Building PDLMs requires more than basic knowledge of Cisco IOS. If you are an ambitious person, you can build your own then set thresholds in Scrutinizer Flow Analytics for your defined NBAR application.
If you need help with NBAR or NetFlow, contact us.