9 Replies Latest reply on Sep 3, 2008 1:16 PM by Andy McBride

    Top 5 Apps not showing what I'd expect

      I have an Adobe Connect server running on 10.10.46.70 that uses ports 80 and 1935 for it's traffic. I know that much.


      I set up an IP group to monitor that IP address. When I run the report for a specific interface, the Web traffic on port 80 is showing up in "Top 5 Applications", but 1935 is not? Unmonitored traffic is showing up as 56%, web as 80% and then a couple of other random (greater than 1024) port numbers.


      If I run the same type of query in another Netflow tool, same IP, same router interface and search for IN and OUT traffic for 10.10.46.70 - I see all of the traffic is port 80 and 1935.


      Is Solarwinds using the random port chosen for the conversation as the application type?


      I see 1935 is registered in the program as a Macromedia application, but it's not showing up in my graphs at all.


      Thanks for any insight. :)


      ---John Holmes...

        • Re: Top 5 Apps not showing what I'd expect
          scraig84

          I see it listed as well, but it appears by default it isn't enabled.  Try going to the port in the Netflow settings under Application and Service Ports and under "actions" click "enable".  By contrast, when I look at port 80 it's option is to disable rather than enable.


           Hope that works for you.


          • Re: Top 5 Apps not showing what I'd expect

             On our netflow implementation port 1935 is not enabled. With it not being enabled, any traffic would appear as "Unmonitored". You might want to check to make sure that application is enabled and test again. Once you do, the new traffic will appear as monitored while the prior traffic will still appear as unmonitored.

              • Re: Top 5 Apps not showing what I'd expect

                Well, yes, that was it.


                How come ports 1024 - 5000 are enabled even though I clicked the "Monitor All" option? Is there any way to enable all of the ports or do I have to go through them one-by-one?


                Thanks for the help.


                ---John Holmes...

                  • Re: Top 5 Apps not showing what I'd expect
                    scraig84

                    I think if you click on "Disabled Applications" and then click on "Monitor All" that will do it. 


                    Then again just about anything is possible en-masse if you are adventurous and creative with SQL. :)

                      • Re: Top 5 Apps not showing what I'd expect

                        I think if you click on "Disabled Applications" and then click on "Monitor All" that will do it. 


                        That didn't work. There are 3180 applications listed under Disabled.


                        I guess this wouldn't be a big deal if I could see a list of the ports that were tagged as "unmonitored" when viewing the applications. If I saw port 9876 using a lot of the "unmonitored" traffic, that'd entice me to figure out what that traffic was and give it a name.


                        Is there a way to do this that I'm missing?


                        Thanks again for all of the help.


                        -John

                          • Re: Top 5 Apps not showing what I'd expect
                            scraig84

                            Maybe someone can correct me if I'm wrong.  I'm not a database expert by any stretch but from what I've seen poking around in the tables it appears that if a port is not considered as monitored it is given a value of "-1" and the original TCP or UDP port is not retained.  Therefore you may want to set up some reports that show you the top endpoints of umonitored traffic and then going after them manually with packet captures or using another tool.  Possibly the real-time collector even?  I haven't looked into its usefulness yet.


                            Personally I find this to be a frustrating design if I am correct in what I am seeing.  I would rather have more info and then pare it back to what is useful rather than needing to know exactly what I want up front.  If I knew my network that well I might not need netflow int the first place!


                            I can understand the reasoning behind wanting to group "unmonitored" traffic together to keep table sizes and indexes down.  However I can also see retaining original port values and then having an additional field for categorization into application groups rather than overwriting the original which is what it appears to be doing.  Maybe this is something someone can educate us on and if not maybe consider for the next rev?  It would be nice to be able to drill in further into "unmonitored traffic" and see a list of not just the top endpoints but also the top source and destination ports.