Cisco NBAR How to:

Cisco Nbar - How to: (Assuming you're using Cisco)

1. On your Cisco Router you need to add the following to each interface that is to be monitored; keep in mind that you will probably have traffic coming in one interface and out a different interface:

ip nbar protocol-discovery

Note that nbar is not supported by all cisco ios'. Check the cisco site if you have problems.

2. Next snmpwalk this oid 1.3.6.1.4.1.9.9.244.1.8.1.1.2 which will give a list of all supported Nbar protocols.

For example 1.3.6.1.4.1.9.9.244.1.8.1.1.2.1 = ftp
1.3.6.1.4.1.9.9.244.1.8.1.1.2.2 = http
etc.
[The last number in the strings above is important for you to identify the protocols in the next part].

3. Traffic IN

snmpwalk this 1.3.6.1.4.1.9.9.244.1.2.1.1.9.<port number>
so assuming you have traffic coming in on port 25, then you would snmpwalk 1.3.6.1.4.1.9.9.244.1.2.1.1.9.25

you will see 1.3.6.1.4.1.9.9.244.1.2.1.1.9.25.1 = ftp traffic IN, etc.

4. Traffic OUT

snmpwalk this 1.3.6.1.4.1.9.9.244.1.2.1.1.10.<port number>
assuming you have traffic going out on port 30, then you would
snmpwalk 1.3.6.1.4.1.9.9.244.1.2.1.1.10.30

again, you will see 1.3.6.1.4.1.9.9.244.1.2.1.1.10.30.1 = ftp traffic OUT, etc.

5. Create Zabbix Items for the protocols that you want to monitor:

Type of info: Numeric (unsigned)
Units: bit
Use multiplier: Custom multiplier
Custom multiplier: 8
Store value: Delta (speed per second)

6. Create Zabbix Graphs

Graph type: Stacked
Y axis type: Calculated [Min=0]

Put as many Items as you want in your stacked graph. Put protocols with a large amount of traffic together in one graph, and others with low traffic together in another graph. (If you have Mbits for http and bits for ftp, and put them in the same graph then you wont see the ftp bits).

7. Create Zabbix Screens.

The end.

MrKen

Thank you!

You told me "create zabbix items for the protocols that you want to monitor"! might i create 1 item by each protocol? i don't know if it is a good idea, because in this way i can forget to put items for some protocols that i don't know for exemple!
could you explain more please! thank you

In total, I think there are 84 protocols.
I am monitoring only 51 of those protocols.

I have created one Item for each of the protocols that I need. (51 x traffic IN, and 51 x traffic OUT = Total 102 Items)

A tedious job!

To find the top ten bandwidth-eating protocols, do this (change 10 to 20, 30, or whatever)
show ip nbar protocol-discovery stats bit-rate top-n 10

MrKen

thank you!

so if we use "show ip nbar protocol-discovery stats bit-rate top -n 10 " i'll have a list of these protocols but i want to put them in a grapher in order to turn to profit the top ten bandwidth-eating protocols.
On zabbix how could i do that?

You need to manually create each Item.

It would be difficult to make an 'out-of-the-box' template for everyone to use because your port numbers will be different to mine. For example, I am monitoring NBAR on two routers, the IN ports are 8, 32, 139, and the OUT ports are 4, 32, 139. So, the NBAR ports that I monitor on one router are different on the other router, thus, manual reconfiguration was required.

MrKen

I do think so! and i understand the problem

but how do i configure manually?

where could i locate the protocols in the MIB?

I find the protocols in MIB!

I have a question! did you try a script which is writed in perl for exemple to put automatically the items of protocols?
do you think it works?
thank you for your answers

hello, i created the item of one protocol "dhcp" just for test, but i have not any information on the graph it is umpty i don't know why!?

and for a triger do you have any idea about the condition may i put on to have in the graph just the top 5 bandwidth-eating protocols?

answer please
thank you

It would be possible to change ports with regexp .
And real working example is good point for start.

If you can share please one of your templates.

i write you an email thanks

hello! please do you know how could i creat a key like " icmppingsec[<ip>,<count>,<interval>,<size>,<timeout>,<type>] "?
because i want to pu a condition in the triger to link the protocol to the bandwidth and see the result on the graph.

i put a condition : " {Routeur_A:icmppingsec[<ip>,<count>,<interval>,<size>,<timeout>,<type>].sum(10)}>6 " but i don't think it works


SO, do you know if there is a specific way to write this bicause i took delfault conditions.

??

thank you

Maybe you have no dhcp traffic.

Ok, attached is a Template for NBAR. The IN trafffic is on Port 1, and the OUT traffic is on Port 4, you will need to change the ports to suit your needs. The Template has Stacked graphs, but no triggers. Enjoy!

And here's one example graph: