Monitoring traffic on non-standard ports

Flow Monitor automatically classifies traffic for most common applications. However, in some cases, you may need to create a custom definition to ensure that Flow Monitor properly classifies some traffic. This need is most common when:

• Your device routes traffic for applications that use a proprietary protocol. This may be a custom program that uses a protocol developed in-house to send data across the network or a third-party application that uses its own custom protocol to transmit data.
• Your device routes traffic for standard applications over non-standard ports. Examples include a standard Web server running on a port other than 80 or an FTP client connecting to an FTP server that runs on a port other than 21.

Note: In Flow Monitor, for traffic to be considered "unclassified," both the port from which the data is sent, and the receiving port must not be classified in the Flow Ports dialog. If either the sending or receiving port is classified, the traffic is associated with the application of the classified port.

To accommodate these cases, you can classify traffic that meets specific rules so that Flow Monitor reports that traffic as belonging to a certain application.

Important: You can configure the amount of time unclassified traffic data is kept. For more information, see Configuring data roll-up intervals.

Tip: If Flow Monitor detects a large amount of traffic to an unmonitored port, the Top Applications workspace report displays a yellow warning flag that explains the situation and guides you in defining the unmonitored port. This can help you to proactively detect emerging non-standard traffic on your network. You can also use the Unclassified Traffic dialog (available from any page in Flow Monitor by selecting GO > Configure > Flow Unclassified Traffic) to view all unclassified traffic since the last hourly rollup.

To define rules for classifying traffic that uses non-standard ports:

1. From any workspace view or report in the web interface, select GO. The GO menu appears.
2. If the Flow Monitor section is not visible, click Flow Monitor. The Flow section of the GO menu appears.
3. Select Configure > Applications. The Applications dialog appears.
4. Click New to configure a new port definition. The Flow Port dialog appears.
5. In Port, enter the port number over which the traffic is sent.
6. In Application, enter a name for the traffic that you are classifying. This should be the name of the protocol (for instance, the definition for port 80 includes HTTP as the application).
7. Select Monitor the following protocols on this port, and then select the protocols that the application uses (TCP, UDP, or SCTP).
8. Click OK to save changes.

See Also Configuring WhatsUp Flow Monitor Flow Monitor Sources Classifying traffic that is considered unclassified Configuring data roll-up intervals Managing users and user rights Setting the logging level Backing up and restoring the Flow Monitor databases Stopping or restarting the collector Using Flow Groups