Unknown Netflow Ports

Issue:

In Netflow, can we see the actual unknown port number rather than seeing “tcp.unknown”, i.e. tcp. 23456?

Root cause:

AKIPS does not keep the raw Netflow records. A UDP/TCP flow contains two port numbers (source & destination). Both source & destination port numbers between
two IPs may/will be changing on each connection (e.g. an application bound
to a range of port numbers and IPs) and a random client port number. This becomes more complex if there are load balancers and NAT in the path.

There are 2^16 port numbers. Keeping a tally of the used port numbers
significantly increase the size of the data structures of the flow
meters, potentially requiring larger virtual machine memory requirements.

Solution:

AKIPS does keep the last 5 minutes of unknown ports. This list can help you identify an unknown port based on the source/destination pairs and the number of matching flows.

You are also able to manually label any custom ports used within your network under Admin -> General -> Netflow Protocols. Once added, AKIPS can identify and label that traffic in the Netflow Reporter.