I noticed when I turn on capturing unmonitored traffic that I am not currently collecting the ESP traffic from my firewalls vpn connections. The question is it appears I removed application with ID 5114 so I have no clue what port its attempting to talk on. I can't create an application that allows all ports on protocol ESP since ESP isnt an option. I must have removed whatever application would have collected this data...anyone know? Here is what the conversation looks like: Date/Time 63.80.103.34 lax-er1-vg01.discovery.com (198.147.15.4) Bytes Packets 4/8/2010 1:57:00 PM ESP Random High Port Removed Application with ID 5114 71.1 Kbytes386 packets4/8/2010 1:57:00 PM ESP Removed Application with ID 27532 Random High Port 122.3 Kbytes574 packets4/8/2010 1:56:00 PM ESP Removed Application with ID 27532 Random High Port 114.6 Kbytes563 packets4/8/2010 1:56:00 PM ESP Random High Port Removed Application with ID 5114 73.7 Kbytes387 packets4/8/2010 1:55:00 PM ESP Random High Port Removed Application with ID 5114 208.2 Kbytes721 packets4/8/2010 1:55:00 PM ESP Removed Application with ID 27532 Random High Port 194.5 Kbytes913 packets4/8/2010 1:54:00 PM ESP Removed Application with ID 27532 Random High Port 133.5 Kbytes642 packets4/8/2010 1:54:00 PM ESP Random High Port Removed Application with ID 5114 78.6 Kbytes467 packets4/8/2010 1:53:00 PM ESP Random High Port Removed Application with ID 5114 66.6 Kbytes345 packets4/8/2010 1:53:00 PM ESP Removed Application with ID 27532 Random High Port 114.3 Kbytes539 packets

nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

How do I capture ESP VPN traffic? What port numbers do I use?

brian_duvall

I noticed when I turn on capturing unmonitored traffic that I am not currently collecting the ESP traffic from my firewalls vpn connections. The question is it appears I removed application with ID 5114 so I have no clue what port its attempting to talk on. I can't create an application that allows all ports on protocol ESP since ESP isnt an option. I must have removed whatever application would have collected this data...anyone know?

Here is what the conversation looks like:

Date/Time		63.80.103.34	lax-er1-vg01.discovery.com (198.147.15.4)	Bytes	Packets
4/8/2010 1:57:00 PM	ESP	Random High Port	Removed Application with ID 5114	71.1 Kbytes	386 packets
4/8/2010 1:57:00 PM	ESP	Removed Application with ID 27532	Random High Port	122.3 Kbytes	574 packets
4/8/2010 1:56:00 PM	ESP	Removed Application with ID 27532	Random High Port	114.6 Kbytes	563 packets
4/8/2010 1:56:00 PM	ESP	Random High Port	Removed Application with ID 5114	73.7 Kbytes	387 packets
4/8/2010 1:55:00 PM	ESP	Random High Port	Removed Application with ID 5114	208.2 Kbytes	721 packets
4/8/2010 1:55:00 PM	ESP	Removed Application with ID 27532	Random High Port	194.5 Kbytes	913 packets
4/8/2010 1:54:00 PM	ESP	Removed Application with ID 27532	Random High Port	133.5 Kbytes	642 packets
4/8/2010 1:54:00 PM	ESP	Random High Port	Removed Application with ID 5114	78.6 Kbytes	467 packets
4/8/2010 1:53:00 PM	ESP	Random High Port	Removed Application with ID 5114	66.6 Kbytes	345 packets
4/8/2010 1:53:00 PM	ESP	Removed Application with ID 27532	Random High Port	114.3 Kbytes	539 packets

Find more posts tagged with

Accepted answers

mavturner

timsilverline,

There was a bug in NTA 3.7 related to unmonitored traffic that was not TCP/UDP. This should be fixed in the next version. We will have a Release Candidate available shortly that will help with this. I will add you to the RC list.

If anyone else would like to be added to the RC list, please let me know.

Mav

All comments

ecklerwr1

Not sure if this helps but I also have on capture unmonitored traffic and I haven't deleted anything. This is what mine looks like:

jswan

ESP doesn't run over TCP/UDP (unless you're tunneling ESP through them), it's a separate layer 4 protocol. ESP is protocol 51 (whereas TCP and UDP are 6 and 17 repsectively). Hence, it doesn't have port numbers.

I would look under "monitored protocols" in NTA settings, but in my install it's monitored by default.

brian_duvall

I monitor it via protocols so thats how I see it show up in my conversations. I was just hoping it could be tracked under application..like say all ESP traffic is application "VPN" or something like that.

FormerMember

Has anyone else ever determined a way to do this?

I would like to avoid having a huge amount of my top application traffic show as "Unmonitored Traffic" and I can't find any way to get ESP traffic to categorized as a Monitored Application.

mavturner

timsilverline,

If anyone else would like to be added to the RC list, please let me know.

Mav

scottyd

Hi there,

Has this been fixed yet?

Regards,
Scott

mavturner

Scott, this has been addressed in the next release. If you have active maintenance, it should be in your customer portal. If you can't find it, send me a direct email with your SWID and I will make sure you have access to it.

Mav