Classifying Traffic by Port Number (NTA Applications)

You can tag traffic on your network to make it easier to manage, associate with specific services or applications, and recognize in NOC dashboards and detailed reports by using the NTA Applications Library. You can also tag traffic for cases where the same port is in use by two different services or when different service instances of the same application run over separate network segments or subnets.

Tip: After you apply these tags, you can check if your sources have observed traffic that matches these rules by checking the Top n Applications or Top n Conversations reports. Conversely, these application mappings will remove items from the Unclassified Traffic report.

Defining Application Library Rules for two Services Using Port 8383 (viewed with port filter set to "8383")

NTA Applications enable you to tag network traffic based on:

Use Mappings Defined in the NTA Application Library

NTA Applications Library already comes fully prepopulated with the more common application-to-port and transport protocol associations, many of which are the more common applications described in the IETF's well-known port definitions (a list of companies that applied with the IETF standards body with a specific port number).

Use Custom Mappings

If you want to provide a more specific label than would be associated by using the default NTA Applications associations, you can also override these on an entire-network or subnet-by-subnet basis or redefine them for different transport protocols (UDP versus TCP, for example).

Important: Any time you specify a port association (NTA Application) with a Subnet, NTA will override any global scope cases (an association where you did not specify a Subnet) for data within the subnet range specified.

To add a port mapping:

  1. Open the NTA Applications Library (Settings > Network Traffic Analysis > NTA Applications).

    The NTA Applications Library dialog displays.

  2. Click Add or select an existing definition and click Edit.
    • Application. Type in a name/label you want to associate with the port. Example: Apache Tomcat.
    • Port or Range. Add a port or range. Example: 8088
    • TCP/UDP/SCTP/DCCP. Expected transport protocol (select one). Example: TCP
    • Subnets. Add subnet IPs if you want these rules to apply only to certain network segments.

      Important: You must specify a subnet using CIDR notation. For example, to specify host traffic within the 192.0.2.x network part, you must provide a range that looks like this 192.0.2.0/24. This value applies to the IP address range 192.0.2.0 to 192.0.2.255.

  3. Add more ports and click Save, or just click Save.
  4. Check report data such as the Top n Applications or Top n Conversations report for the mapping you applied. Conversely, these application mappings will remove items from the Unclassified Traffic report.

Specifying an Application for a Specific Subnet (port for iMail WebUI shown)

Best Practice: Associate Application (Port) Seen in Flow Only for a Particular Subnet

When overriding or applying more specific application labeling for a well-known port/application association, it is best practice to do this in the NTA Applications Library at the lowest scope necessary (subnet level) and then document this change as part of your network operations.

Subnet Specified

Port Specified

Behavior

192.0.2.0/24

8383 (Ipswitch iMail Admin UI)

Only traffic seen within a specific subnet will be labeled with Ipswitch iMail Admin UI application within NTA reports and dashboards. Other traffic outside this subnet range and outside other well-known port associations will be considered Unclassified.

Note: If you do not specify a subnet the NTA Application port association becomes global. In other words, it is applied to all NTA traffic.

Global Scope Case: No Subnet Specified

Subnet Specified

Port Specified

Behavior

None

8383 (Ipswitch iMail admin)

All flow traffic detected will be labeled with Ipswitch iMail Admin application in NTA reports and dashboards.

Note: If you do not specify a port, the NTA Application port association becomes global. In other words, it is applied to all NTA traffic.

Note: Network Traffic Analysis considers network traffic to be "unclassified" when both source and destination ports are either outside the well-known port range or not classified in the Application Library.

Tip: Leverage general NTA application rules (port 8383 = TCP, for example) for large network segments. Then add specific rules for the same port and tune port identifications for certain subnets where it makes sense (for example for a smaller network segment, Port = 8383 on Subnet = 192.0.2.0/24 could be tagged as Ipswitch iMail).

See Also

Network Traffic Analysis

Start Analyzing Your Network!

Before You Begin

NTA Features and Advantages

Choosing NTA Sources

Configuring and Enabling Collection on Sources

Creating Aggregate Sources

Aggregating Sources

Grouping Traffic

Adding Custom Labels for Type of Service (ToS) IDs

Collector Database Maintenance

Reduce and Analyze Traffic with Advanced Filtering

Network Traffic Analysis Settings

IP Reputation Library

Listener Port, Collection, and Retention Settings