Top 5 Apps not showing what I'd expect

I see it listed as well, but it appears by default it isn't enabled.  Try going to the port in the Netflow settings under Application and Service Ports and under "actions" click "enable".  By contrast, when I look at port 80 it's option is to disable rather than enable.

 Hope that works for you.

 On our netflow implementation port 1935 is not enabled. With it not being enabled, any traffic would appear as "Unmonitored". You might want to check to make sure that application is enabled and test again. Once you do, the new traffic will appear as monitored while the prior traffic will still appear as unmonitored.

Well, yes, that was it.

How come ports 1024 - 5000 are enabled even though I clicked the "Monitor All" option? Is there any way to enable all of the ports or do I have to go through them one-by-one?

Thanks for the help.

---John Holmes...

I think if you click on "Disabled Applications" and then click on "Monitor All" that will do it. 

Then again just about anything is possible en-masse if you are adventurous and creative with SQL. :)

I think if you click on "Disabled Applications" and then click on "Monitor All" that will do it.

That didn't work. There are 3180 applications listed under Disabled.

I guess this wouldn't be a big deal if I could see a list of the ports that were tagged as "unmonitored" when viewing the applications. If I saw port 9876 using a lot of the "unmonitored" traffic, that'd entice me to figure out what that traffic was and give it a name.

Is there a way to do this that I'm missing?

Thanks again for all of the help.

-John

Maybe someone can correct me if I'm wrong.  I'm not a database expert by any stretch but from what I've seen poking around in the tables it appears that if a port is not considered as monitored it is given a value of "-1" and the original TCP or UDP port is not retained.  Therefore you may want to set up some reports that show you the top endpoints of umonitored traffic and then going after them manually with packet captures or using another tool.  Possibly the real-time collector even?  I haven't looked into its usefulness yet.

Personally I find this to be a frustrating design if I am correct in what I am seeing.  I would rather have more info and then pare it back to what is useful rather than needing to know exactly what I want up front.  If I knew my network that well I might not need netflow int the first place!

I can understand the reasoning behind wanting to group "unmonitored" traffic together to keep table sizes and indexes down.  However I can also see retaining original port values and then having an additional field for categorization into application groups rather than overwriting the original which is what it appears to be doing.  Maybe this is something someone can educate us on and if not maybe consider for the next rev?  It would be nice to be able to drill in further into "unmonitored traffic" and see a list of not just the top endpoints but also the top source and destination ports.

I agree with you completely. I don't mind the grouping of "unmonitored" traffic, but give me a way to see what those ports are. This is how other tools handle it.

---John Holmes...

I might be wrong, but I was under the impression that if you clicked Monitor All, it would enable many (if not all) of the unmonitored ports.  See the description in this posting:

Since you know that your application uses port 80 and 1935, you might be able to create a multi-port application that would label converations using those ports as whatever name you give it.  However, I'm not sure if NTA is smart enough to allow you to group port 80 with 1935 and still label your other traffic on port 80 as web traffic.

If you assign a port to a multi-port app it will only be part of that app., so port 80 would stop showing up as HTTP