ApplicationID acts as the source port, correct, with additional information?
It does not act as source port. Neither port or ApplicationID have direction, because from Flows we take only lesser port number which we uses for processing.
How does one interpret ApplicationID that equals 0?
In NTA we do not have ApplicationID that equals to zero. Lowest possible number is 100001 which are the all "Unmonitored ports". If you would want to show traffic that does not have any application you can set condition to AppID=100001 and vice versa.
How does one interpret ApplicationID that equals 100001 ("Unmonitored traffic")?
As mentioned before, this ID corresponds to "Unmonitored traffic". Unmonitored traffic is set of ports that does have defined any application for them.
>It does not act as source port. Neither port or ApplicationID have direction, because from Flows we take only lesser port number which we uses for processing.
From this thread Re: NetFlow detail records appear to contain duplicates it states "If during a single minute the router reports two or more flows with the same 5-tuple (source IP, destination IP, source port, destination port, and protocol), NTA will combine these into a single record by summing their in/out bytes and in/out packets." This implies a direction since it states source and destination port, so where would I find that in NTA?, if it's not the ApplicationID and Port in the record?
>How does one interpret ApplicationID that equals 0?
I>n NTA we do not have ApplicationID that equals to zero.
Should have been clearer, I'm seeing 0 in ApplicationID field of Orion.Netflow.Flows. (Note as you stated I do not see 0 in Orion.Netflow.Applications).
For the first part. Its true that we will combine such flows into single record, but still the port selection mechanism is same and only one port number is used. This single port of course have ingress and egress traffic.
For the second part. I am sorry this was my mistake the 0 values are used for any traffic that does not use UDP or TCP protocol.