Traffic Analysis and Classification
Overview
Traffic classification capabilities is an integral part of providing important insights into what hosts on the network are doing and for being able to prioritize or block specific applications. Cisco Meraki uses a variety of techniques for identifying specific applications. These classifications are used by the following features:
- The traffic data contained within the Network-wide > Clients page
- The application definitions available for traffic shaping configuration
- The application definitions available for L7 SD-WAN configuration
- The application definitions available for Layer 7 firewall rules
Classifications
The Cisco Meraki MX, MS, and MR use a variety of techniques to classify traffic, which are described below. These techniques can be combined together for robust and accurate fingerprinting of applications.
HTTP Information
When HTTP traffic is processed, the contents of the URL can be inspected for specific hostnames.
For example, traffic destined for Bing could be identified based on the HTTP communications requesting resources from a URL containing "bing.com."
SSL Information
Some apps and websites, such as the Cisco Meraki Dashboard, use HTTPS-based communications. When HTTPS is implemented, it is not possible to see the actual URLs being requested by the client device. Instead, classification for traffic using SSL must be determined based on the information available before the SSL session is established. The MX, MS, and MR evaluate both the common name (CN) of the server certificate, as well as the server name indicator (SNI) sent by the client.
For example, traffic destined to the Cisco Meraki Dashboard could be identified based on the "dashboard.meraki.com" server name indicator sent by the client during the SSL client hello message.
IP Address, Port, and Protocol Information
In addition to HTTP and SSL information, traffic classification rules may also look for communication that is sent to or received from particular IP addresses, sent sourced from or destined to particular ports, and that is transmitted using a particular protocol (such as TCP or UDP).
For example, traffic using the HTTP protocol could be identified based on being TCP communications using port 80.
DNS Information
If hostname visibility is enabled, the MX, MS, and MR will also inspect DNS traffic that occurs on the network. This allows for the MX, MS, and MR to dynamically learn which IP addresses are associated with specific hostnames. This information can then be used to classify traffic as belong to particular applications.
For example, traffic to cisco.com could be identified based on communications to and from IP address contained within the DNS response for cisco.com (e.g. 72.163.4.161).
Heuristic Information
In addition to the methods described above, traffic can be classified into specific applications by it's characteristics. Some characteristics could include looking for specific patterns in how traffic is sent, the number and rate of connections, sizes of the payloads, and specific flags within protocol headers.
For example, using the packet size and transmission frequency of UDP traffic (such as 20 byte RTP payloads that are sent at 20ms intervals) can be used to identified VoIP traffic.
Traffic Analysis Classifies Client Traffic as Text
A client generating HTTP traffic can have their usage classified as Text by Traffic Analysis. The type of HTTP traffic is classified by the content-type header provided in each html page. When this content-type header specifies "text/html" it will be classified as Text. Conversely, if the html content-type header specified "image/jpeg" it would be classified as Images by Traffic analysis.
For more information about MIME media types see the descriptions here: http://www.iana.org/assignments/media-types/audio/index.html
Enabling Traffic Analytics
To enable, navigate to Network-wide > General and set Traffic analysis to Detailed: collect destination hostnames. This will add Traffic Analytics to your Monitor tab the next time you refresh.
Note: The data displayed for traffic analytics is only collected after this feature is enabled. Data prior to that point will not be available with the exception of pre-existing traffic flows, including those established for Meraki Cloud Communication; there may be a noticeable spike in reported traffic volume initially as data for existing flows is collected, the initial traffic values may not reflect actual traffic values for this reason.
Once enabled, it may take up to 24 hours for information to propagate fully.