NetFlow Monitor automatically classifies traffic for most common applications. However, in some cases, you may need to create a custom definition to ensure that NetFlow Monitor properly classifies some traffic. This need is most common when:
Note: For traffic to be considered unclassified, both the port that the data is sent from and the port to which it is received must not be classified in the NetFlow Ports dialog. If either of those ports are classified, the traffic is associated with the application of the classified port.
To accommodate these cases, you can classify traffic that meets specific rules so that NetFlow Monitor reports that traffic as belonging to a certain application.
Important: You can configure the amount of time unclassified traffic data is kept. For more information, see Configuring data roll-up intervals.
Tip: If NetFlow Monitor detects a large amount of traffic to an unmonitored port, the Top Applications workspace displays a yellow warning flag that explains the situation and guides you in defining the unmonitored port. This can help you to proactively detect emerging non-standard traffic on your network. You can also use the Unclassified Traffic dialog (available from any page in NetFlow Monitor by selecting GO > Configure > NetFlow Unclassified Traffic) to view all unclassified traffic since the last hourly rollup.
To define rules for classifying traffic that uses non-standard ports:
HTTP
as the application).