custom nbar protocol

I was playing with nbar trying to match data in the payload of a crafted packet.

I can see exactly the payload in the packet I build but it seems I can't match it with nbar, I'm using this custom protocol

ip nbar custom test 0 hex A destination tcp 26


and I'm sending single packets with payload AAAA. I can see the dumped packet in the router


0B2E4D00:                                 CA05 15E90006            J..i..
0B2E4D10: CA0415E9 00080800 45A0002A 12340100  J..i....E .*.4..
0B2E4D20: FE06B376 9B01927B 9B012D05 3039001A  ~.3v...{..-.09..
0B2E4D30: 00000064 00000064 50000FA0 CEF90000  ...d...dP.. Ny..
0B2E4D40: AAAA                                 **

and all the fields I setup are matching, even the payload in the end, but nbar shows no packets, I've just applied an input and output policy map with a class map that matches that custom port.

It's not working even when matching ascii pattern AA and sending the corresponding hex value value

ip nbar custom test 0 ascii AA destination tcp 27 

0B171E80:                             CA05 15E90006            J..i..
0B171E90: CA0415E9 00080800 45A0002A 12340100  J..i....E .*.4..
0B171EA0: FE06B376 9B01927B 9B012D05 3039001B  ~.3v...{..-.09..
0B171EB0: 00000064 00000064 50000FA0 38620000  ...d...dP.. 8b..
0B171EC0: 4141                                 AA             

Any idea?


  • I've made further tests, it does not work with crafted packets (I wonder why, maybe they're not part of a proper flow?). Anyway I managed to have it work by sending a syslog message to a non-standard port that I could map to a custom nbar protocol, by using syslog I could send arbitrary text with ease.

    The overall objective was to test what in my opinion is a big mistake in the documentation.

    In the documentation examples you can find things like

    ip nbar custom app_sales1 5 ascii SALES source tcp 4567

    and the description reads "...and that contain the term SALES in the fifth byte of the payload"

    This is wrong, the byte value is an offset so the fifth byte has offset 4. I made several tests and I verified this.

    Can someone confirm?

  • Better option would be use Flexible Packet matching feature I guess.

  • Better option would be use Flexible Packet matching feature I guess.

    I agree but still nbar is used and it's supposed to be easier than fpm, I just wanted to be 100% sure about my tests, a sort of peer review.


Sign In or Register to comment.