I recently wrote a Perl script for MRTG that collects the bytes that Cisco NBAR Protocol Discovery has counted and graphs them against the total traffic seen by the interface. (Note: Leave a comment if you want me to publish the script on this site.)
I thought I'd go ahead and point out the OIDs I use in the script here. You can download the Cisco NBAR Protocol Discovery MIB via the Cisco SNMP Object Navigator.
- cnpdSupportedProtocolsName - .184.108.40.206.220.127.116.11.244.1.8.1.1.2
This is a list of protocols that NBAR can recognize. Since the index of a particular protocol might change, it's important to get the index from this table and reference it in the following OIDs.
- cnpdAllStatsHCInBytes - .18.104.22.168.22.214.171.124.244.1.2.1.1.9
This is a table of input bytes sorted by interface and protocol. In order to find a particular protocol on a particular interface, you'll need to append the interface index followed by the protocol index (from cnpdSupportedProtocolsName above).
- cnpdAllStatsHCOutBytes - .126.96.36.199.188.8.131.52.244.1.2.1.1.10
This is a table of output bytes sorted by interface and protocol. You'll use it in exactly the same manner as cnpdAllStatsHCInBytes (by appending interface and procotol index).
I should note that the byte counters listed above are the "high capacity" 64-bit byte counters. Although you should use the high capacity counters whenever possible, it's a requirement to use these counters whenever using an interface faster than Fast Ethernet. I'm assuming 5 minute poll intervals.