How do I capture ESP VPN traffic? What port numbers do I use?

Not sure if this helps but I also have on capture unmonitored traffic and I haven't deleted anything.  This is what mine looks like:

ESP doesn't run over TCP/UDP (unless you're tunneling ESP through them), it's a separate layer 4 protocol. ESP is protocol 51 (whereas TCP and UDP are 6 and 17 repsectively). Hence, it doesn't have port numbers.

I would look under "monitored protocols" in NTA settings, but in my install it's monitored by default.

I monitor it via protocols so thats how I see it show up in my conversations.  I was just hoping it could be tracked under application..like say all ESP traffic is application "VPN" or something like that.

Has anyone else ever determined a way to do this?

I would like to avoid having a huge amount of my top application traffic show as "Unmonitored Traffic" and I can't find any way to get ESP traffic to categorized as a Monitored Application.

timsilverline,

There was a bug in NTA 3.7 related to unmonitored traffic that was not TCP/UDP. This should be fixed in the next version. We will have a Release Candidate available shortly that will help with this. I will add you to the RC list.

If anyone else would like to be added to the RC list, please let me know.

Mav 

Hi there,

Has this been fixed yet?

Regards,
Scott

Scott, this has been addressed in the next release. If you have active maintenance, it should be in your customer portal. If you can't find it, send me a direct email with your SWID and I will make sure you have access to it.

Mav

It would appear that this bug has returned in 10.2.1 NPM.  Not sure why an NPM upgrade would cause a difference in Netflow but....

I just upgraded two days ago and yesterday started noticing a bunch uf unmonitored traffic again.

Upon further analysis it is indeed ESP once again.

Any idea on what I can do? Just downgrade back to 10.2.0?