I noticed when I turn on capturing unmonitored traffic that I am not currently collecting the ESP traffic from my firewalls vpn connections. The question is it appears I removed application with ID 5114 so I have no clue what port its attempting to talk on. I can't create an application that allows all ports on protocol ESP since ESP isnt an option. I must have removed whatever application would have collected this data...anyone know?
Here is what the conversation looks like:
539 packets
timsilverline,
There was a bug in NTA 3.7 related to unmonitored traffic that was not TCP/UDP. This should be fixed in the next version. We will have a Release Candidate available shortly that will help with this. I will add you to the RC list.
If anyone else would like to be added to the RC list, please let me know.
Mav
Not sure if this helps but I also have on capture unmonitored traffic and I haven't deleted anything. This is what mine looks like:
ESP doesn't run over TCP/UDP (unless you're tunneling ESP through them), it's a separate layer 4 protocol. ESP is protocol 51 (whereas TCP and UDP are 6 and 17 repsectively). Hence, it doesn't have port numbers.
I would look under "monitored protocols" in NTA settings, but in my install it's monitored by default.
I monitor it via protocols so thats how I see it show up in my conversations. I was just hoping it could be tracked under application..like say all ESP traffic is application "VPN" or something like that.
Has anyone else ever determined a way to do this?
I would like to avoid having a huge amount of my top application traffic show as "Unmonitored Traffic" and I can't find any way to get ESP traffic to categorized as a Monitored Application.
