How to verify NBAR2 Application data for NFA using Wireshark

Document ID : KB000048092
Last Modified Date : 24/10/2018
Show Technical Document Details

Starting with NFA 9.2, NFA supports reporting on NBAR2 Application Data to give you greater visibility into Applications that cannot be identified simply by looking the destination port of the traffic.

Application mapping supports rules for the applications that are identified by the standard Cisco NBAR2 engine (NBAR2 engine 13), but not for applications that are identified by custom NBAR2 engines.

We also require that the NBAR2 ApplicationID be imported into NFA, see the NFA 9.2 Admin guide for instructions on how to import the default list of NBAR2 Applications.


    The steps below will show you how to verify that you are receiving the correct NBAR2 Engine ID of 13 and how to verify the ApplicationID within the NetFlow data using WireShark.

    1. Open WireShark on the Harvester server and go to the "Capture" top menu and then "Options"

      User-added image
    2. Double click the Interface which is receiving the NetFlow

      User-added image
    3. In the "Capture Filter" field enter "host x.x.x.x and udp port 9995" where x.x.x.x is the IP address of the device you wish to monitor, and click OK

      User-added image
    4. Click "Capture->Start" to begin capturing data.

      User-added image
    5. Once you have captured enough data click Stop and then "Analyze->Decode As"

      User-added image
    6. Change the drop down menu to "Destination (->9995)" and select "CFLOW" on the right and click OK

      User-added image
    7. Once Decoded as CFLOW you will be able to expand where it says "Cisco NetFlow/IPFIX"
      When looking at the flows, you will need to look for a field called:
      "ApplicationID: NBAR Application ID: x:y (type:id)"
      The 'type' or 'x' needs to be 13, which represents the Cisco NBAR2 EngineID, as we currently only support EngineID 13.

      The 'id' or 'y' will be a unique number, that will need to match up with one of the ApplicationID's in the NBAR2.csv file you imported into NFA. If it is an ID that does not exist you can create a new NBAR2 application definition. See the NFA Admin guide for details.

      -The first example below shows an NBAR2 application which we would not display data from because the EngineID/Type is not 13:

      User-added image

      -This second example shows an NBAR2 Application which we would be able to display data from, because as you can see below the EngineID/Type is 13. Also in this case the application ID, 26, matches up with an ID in the NBAR2.csv file, for the 'netbios' application:

      User-added image
    8. You should be able to see the data in your Interface Reports like below if they are the Top N applications on that interface. In this example you can see Skype and Exchange being reported:

      User-added image
    9. You will also be able to run Flow Forensics reports against this NBAR2 data using the 'Conversation Sessions (NBAR2)' FF report which will show the NBAR2 Application ID and Engine ID.
      User-added image