Sinefa uses Layer 7 classification technology to detect applications on the network regardless of the TCP/UDP ports they run on. Several techniques are used including behavioral analytics, heuristic learning, pattern matching and statistical flow correlation. New Layer 7 definitions are regularly released and applied to Sinefa probes automatically.
Sometimes you may notice traffic labeled as "Unclassified". This means that Sinefa has been unable to identify the type of application the traffic is. Instead, Sinefa tags the traffic as Unclassified and provides a report with the respective protocol and port number.
When you're under Reports > Utilization > Applications you will then be able to select "Unclassified" which will then take you to the list of TCP/UDP ports that have been detected on your network (but haven't been classified).
If the probe was recently deployed, wait a few hours to see if the Unclassified traffic persists. Sinefa's Layer 7 detection works best on new flows. It may take some time after initial deployment for existing flows to close and new flows to start. Encrypted applications like Skype and BitTorrent are a good example of apps that may take some time to classify after deploying a new probe.
You are able to now filter by Unclassified traffic by entering application = Unclassified in Reports > Utilization in the filter box up the top and check out which Internal/External Hosts, websites, etc. are generating the Unclassified traffic then check out what ports are being used as outlined earlier.
If Unclassified traffic persists:
- Create a custom application definition with the TCP/UDP port that's being unclassified following the instructions here, name it something easy for you to identify (i.e. if it's TCP port 114, name the definition TCP114 for you to easily identify what's being captured).
- Let reporting build up for up to at least 60 minutes and then look at what hosts are using applications TCP114 through Internal/External Hosts under the reporting and login to those hosts to understand what is running at that time on each to narrow down.
- Once you have identified the application, edit the custom application definition TCP114 and name accordingly for utilization to be able to now be reported on.
In this example we found TCP port 5000 was a top traffic generator under Unclassified and wanted to investigate further by creating a custom application to be able to complete drill-down against specific hosts, websites, etc.
If you believe there is traffic falling under unclassified that shouldn't be - send an e-mail through to firstname.lastname@example.org with the port and protocol details along with which applications you expect