Deep Packet inspection (DPI) / Layer 7 application recognition / Network Based application recognition (NBAR)

Deep packet inspection (DPI) is an advanced method of packet filtering that functions at the Application layer of the OSI (Open Systems Interconnection) reference model. The use of DPI makes it possible to find, identify, classify, reroute or block packets with specific data or code payloads that conventional packet filtering, which examines only packet headers, cannot detect.

Network Based Application Recognition (NBAR) is the mechanism used by some Cisco routers and switches to recognize a dataflow by inspecting some packets sent.

The networking equipment which uses NBAR does a deep packet inspection on some of the packets in a dataflow, to determine which traffic category the flow belongs to. Used in conjunction with other features, it may then program the internal ASICs to handle this flow appropriately. The categorization may be done with OSI layer 4 info, packet content, signaling, and so on but some new applications have made it difficult on purpose to cling to this kind of tagging.

The NBAR approach is useful in dealing with malicious software using known ports to fake being “priority traffic”, as well as non-standard applications using dynamic ports. That’s why NBAR is also known as OSI layer 7 categorization.

On Cisco routers, NBAR is mainly used for Quality of Service and Security purposes.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s