Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Netflow Traffic Analyzer (NTA) > Application charts showing unmonitored multi-port traffic in Netflow

Application charts showing unmonitored multi-port traffic in Netflow

Updated August 8th, 2016

Overview

Netflow charts for application show a large amount of traffic for unmonitored multiport applications.

Environment

All NTA versions

Cause 

The ports that the unmonotored application traffic is using has not been mapped in Solarwinds. When Solarwinds recieved a flow from a device, Solarwinds only looks at the port number. It will then compares that port number to what application uses that port.

 

For example, an application call MyEmailApp that uses ports 12345 - 12350 that SolarWinds sees as unmonitored traffic. Then lets say there is a user (workstation) that is sending data through your router to some external service, an email application called MyEmailApp, using port 12346. If the port to Application mapping doesn't exist in Solarwinds then Solarwinds will always show that traffic as unmonitored because it doesn't know that port 12346 = MyEmailApp.

If you go into Settings > NTA Settings > Application and Service Ports, you can see what application has been mapped to what  port(s).

Understand also that not all traffic can or will be identified to a certain ports. Certain application cannot be map at all simply because there are so many application that can or could be used by a user and there are certain applications (Skype for example) that uses different destination ports every time its brought up, therefore making it impossible to map.

Resolution

Create a port to application map

  1. Go to Settings > NTA Settings > Application and Service Ports.
  2. Click on Add Application.
  3. Fill in the description, port number(s), source IP address, destination IP address, and protocol.
  4. Click Add Application.

NOTE: Using the example above, adding MyEmailApp as using ports 12345 - 12350, leaving the rest of the fields at the default, will now make it so that charts will show traffic statistics specifically for MyEmailApp as opposed to Solarwinds taking that traffic and grouping it into unmonitored traffic pile.

 

 

Last modified
11:53, 11 Jan 2017

Tags

Classifications

Public