It’s extremely important that the IT department has all the information on what is being passed across the corporate network environment. Therefore, it’s necessary to identify precisely what are the applications being used by users, which ones are consuming more network traffic and if the consumption is according to the company policy. For many years, companies have adopted the network traffic identification method using the SNMP protocol. The SNMP protocol is based on managed devices, in agents and in a network management system (NMS).

But over the years, the SNMP started to lack the meeting expectations from companies with the need of a better knowledge of the data traffic composition and not only the link usage. SNMP only serves the information needs over the amount of received packets, but it doesn’t provide the information needed about a particular data stream. In the current scenario, where there are several real-time applications, such as IP telephony, video conferencing, VPNs, cloud computing, among others, this understanding becomes crucial.

The NetFlow Protocol for Traffic Classification

Today we can use the NetFlow protocol to overcome these limitations. NetFlow is originally an embedded technology in Cisco Systems that analyzes packets as part of a stream, instead of only count them. The NetFlow importance is the analysis, which is performed over the data traffic and not over the input and output interfaces. Nowadays, most major vendors offer some similar technologies to the NetFlow.

NetFlow identifies the IP streams rather than count the “bytes” on the interfaces. A stream is defined as a bundle of IP packets, containing at least seven (7) fields identification, such as: an IP source address, destination IP address, source port, a destination port, a same layer 3 protocol, a same type of service (ToS) and a same logical interface.

Through the NetFlow, it’s possible to obtain essential information from a network, such as: bandwidth monitoring and traffic analysis, network analysis and security management, identification of worms and malware, QoS validation, among other features.

Flow Protocol keep growing

Due to the different resources from the NetFlow, several other manufacturers, in addition to Cisco, adopted its standard, such as Juniper, Extreme, Huawei, among other manufacturers. These companies integrated similar functionalities into their product lines.

With NetFlow, many companies have acquired extremely important information about their own network traffic through the process of identifying the applications via door and/or IP source, and data flow destination.

Through this method, it’s possible to identify what are the possible applications that are consuming most of the network traffic according to the criteria analysis, observing the network port and protocol to which it refers. In the table below, some protocols and their respective ports.

ProtocolNetwork Port
FTP20/21
HTTP/HTTPS80/443
NTP123
SNMP161/162
SMTP366
SSH22
TELNET23

Noticing some NetFlow Failures

Over the years, it has been observed that it’s an effective method, but it doesn’t provide all the accurately information that the current IT scenario needs. This process of identification through the door or source IP, usually, no longer meets the IT industry expectations due to lack of classification on which applications are using the same port for traffic on the network.

What often happens is that, within a corporate network environment, there is more than one device using the same network port for data traffic. You can conclude (having a deep knowledge of the company’s IT environment) that a particular device, such as an IP PBX, doesn’t consume much traffic using the 80/443 ports (HTTP / HTTPs) and this makes easier the final identification.

However, this method is just not enough to get all the information. Through it, we can’t accurately and clearly measure what is being accessed by HTTP/HTTPS ports, which are, for example, the ones used by the users to access websites such as Facebook, GMail, YouTube, LinkedIn, among others.

In other words, it’s like your company opening a portion of its network access, but without a view about which components are performing the access.

This way, using only the per-port or source IP classification method, it’s not possible to get an accurate and detailed report about which applications (Facebook, Gmail, Youtube, Linkedin) are really consuming the network traffic. They would be merely suppositions that, in most cases, would not achieve the expected results by the company.

Traffic Classification with NBAR

In order to provide information about which applications are consuming network traffic, an intelligent classification engine leveraged by Cisco manufacturer called NBAR (Network Based Application Recognition) was created, which has the ability to recognize a wide variety of applications.

Through NBAR, it’s possible to perform deep flow inspections in order to identify which applications are being used in real time, independent of the port they use.

The NBAR operates as follows:

  1. When activated the NBAR on any interface, each incoming packet will be subjected to a thorough inspection in its IP header, and over all the content of the payload.
  2. The package signatures are included in the PDLM protocol (Custom Packet Description Language Module) and they are sent to the router.
  3. The PDLM contains the rules by which the NBAR technology recognizes a signature during the packet inspection. That is, the NBAR analyzes the packets and compares them to a set of rules defined on the PDLM. If met, the NBAR recognizes and label the operation.
  4. This way, the NBAR detects HTTP transactions at any port number and at any packet. The NBAR can also focus its identification through the URL, MIME type for example, or other parameters going beyond the simple features of the HTTP protocol standards.