General application definitions

General application mapping allows traffic between specified hosts and ports to be tracked and reported as application traffic. You can define a custom application by associating an application name with connections to a specific server host or group of server hosts using a specific port or group of ports. NetProfiler can then report on that application traffic. more

Alternatively, you can assign a custom application name to an automatically-recognized application. You can make separate assignments of the same custom application name to multiple automatically-recognized applications and to applications defined by hosts and ports. This enables you to track and report on the group under a single custom application name.  more

The General tab of the Definitions > Applications page has two sections. The first section is for specifying search criteria for locating existing application mappings. The second section enables you to:

  • Define a new custom application mapping.

  • Edit an existing mapping.

  • Change the priority of a mapping.

  • Copy a custom mapping to use as the basis for defining a new one.

  • Enable or disable mapping-based tracking of a custom application.

  • Specify how the mapping should override automatically-recognized application definitions.

Searching and displaying the General application list

To locate an application definition by name, hosts or ports, enter or select the values in the General Applications section of the tab. This limits the list of application definitions to just those that match the criteria you specify.

Selecting the "Show known protocols/ports" check box includes two types of system-defined applications in the list:

  • Known protocols - If traffic uses a protocol known to the system but does not match any application mapping, it is tracked as belonging to a system-defined application for that protocol. The system-defined application is given the name of the protocol itself. If the protocol is not recognized, the system tracks it under one of the following application names: TCP_Unknown, UDP_Unknown, or IP_Proto_Unknown.

  • Known ports - If a name is defined for a protocol/port combination on the Definitions > Port Names page, and if the “Generate App Mapping” check box is selected in that definition, then the system creates an application using that name and maps it to that protocol/port combination.

The system-defined application mappings cannot be edited on the Definitions > Applications page. Therefore, they are not listed unless you select the "Show known protocols/ports" check box.

When you click Apply, the application definitions that match your search criteria are listed in the Applications Mapping section of the tab. Each application has options in the Actions column. Choose a link in the Actions column to view, edit, delete or copy an application mapping.

Choose Disable to stop NetProfiler from tracking and reporting traffic for an application. Choose Enable to resume tracking and reporting.

If you do not specify any matching criteria in the General Applications section, the Application Mappings section displays all application mappings. This includes system-defined applications for legacy port groups.

Versions prior to 10.9.5 supported defining port groups. When the product is updated to version 10.9.5 or later, port group definitions are automatically converted to application definitions of the same name and given the "_portgroup" suffix. For example, a legacy port group named "web" is automatically converted to an application named "web_portgroup." This enables you to continue to track and report on traffic previously defined for the port group.

Application definitions that the system creates from legacy port group definitions are listed with the other General application definitions and are fully editable.

Additionally, any Layer 4 application definitions you created before updating to version 10.9.5 or later are preserved "as is" and listed as General applications. They are also fully editable.

Creating a mapping-based application definition

There are two ways to create a new application definition on the Definitions > Applications page General tab:

  • Choose the New button at the top of the Application Mappings list. This opens a section above the list for defining a new application.

  • Choose Copy in the entry for an existing application. This opens a section above the list for defining a new application based in the existing application. The section is pre-populated with the definition of the mapping you copied. You can change the name and modify the definition as necessary to create the new application.

An application is defined by one or more mappings. You can create a mapping based on hosts or ports, or a mapping based on Auto-Recognized applications, but not both in the same mapping. To track traffic based on both hosts or ports and Auto-Recognized applications, create two separate definitions, both using the same application name. Map the hosts and ports to the custom application name in one definition. Map the Auto-Recognized applications to the custom application name in another definition.

A General application definition remains in effect until it is deleted or modified. It affects only new flows that begin after the mapping is created. A change to the definition affects only flows that begin after the change is made. On-going flows and historical flows continue to be reported as belonging to applications based on the definitions at the time they began.

To create a mapping based on hosts and ports

  1. Go to the Definitions > Application page General tab.

  2. In the title bar of the Applications Mappings section of the page, click New. This expands the page to display a section for defining a new application mapping.

    • Application name: Enter the name for the new application as you want it to appear on reports and in the applications list. This can be up to 25 alphanumeric characters, periods and underscores.

    • Hosts (optional):  Define the application in terms of a comma-separated list of the server hosts or server host groups that it uses:

      • hosts – enter as the names or IP addresses of hosts acting as servers, or enter the IP address ranges in prefix length notation of hosts acting as servers.  

      • host groups – enter manually in the server_host_group_type:host_group_name format or else enter by browsing lists of server host group types and server host group names using the lookup tool.

      If this field is left empty, the mapping matches all hosts that use the ports specified in the Ports field.

    • Ports:  Define the application in terms of a comma-separated list of the ports that it uses:

      • tcp or udp ports – enter using protoport format, e.g., tcp/80

      • protocols other than tcp or udp – enter the protocol name. You can browse for ports and protocols using the lookup tool.

      • port number – a port number is assumed to be a tcp or udp port. It is automatically translated into protoport format for display on reports. For example, "80" will be interpreted as meaning tcp/80 and udp/80.

      • port name – browse for port name using the lookup tool.

  3. Select or deselect Enabled to enable or disable mapping-based tracking and reporting of the application.

  4. Specify in which cases, if any, the General definition of an application should override a Auto-Recognized definition:

Always – Ignore any Auto-Recognized definition of the application and always use this definition.

Unknown – Use this definition for classifying flows that do not match any Auto-Recognized application.

  1. Click OK to add the definition to the applications list.

A custom application can be defined by more than one mapping. For each mapping, traffic on any host or host group in the hosts field is classified as belonging to the application if it uses any port specified in the ports field.

You can also define an application as traffic that involves only a particular host or host group that uses only a particular port. To do this, create multiple mappings for the same application name. For example,

My_app   172.16.0.100   tcp/40430

My_app   172.16.0.120   tcp/40440

This definition specifies the host and port combinations.

To create a mapping based on Auto-Recognized applications

  1. Go to the Definitions > Application page General tab.

  2. In the title bar of the Application Mappings section of the page, click New. This expands the page to display a section for defining a new application mapping.

  3. In the Auto-Recognized Applications box, enter the name of one or more applications that the product recognizes automatically. Alternatively, choose Browse and use the search tool to locate the applications.

  4. Select or deselect Enabled to enable or disable mapping-based tracking and reporting of the application.

  5. For the Override policy, select Always. Because the mapping is applied to only flows that have been tagged with an Auto-Recognized application, setting this to Unknown will never result in a match.

  6. Click OK to add the definition to the Application Mappings list.

Overlapping application definitions

NetProfiler can use a system of prioritizing application definitions to prevent traffic being reported multiple times when the same traffic attributes appear in more than one application definition. However, the priority assignments cannot be exported to NetShark or AppResponse 11 when those products are synchronized with NetProfiler. So if traffic matches more than one application definition, the total traffic for all elements of a display on NetShark or AppResponse 11 could be greater than the actual total traffic.

Application definition priorities

Each application mapping is assigned a priority. This allows you to use overlapping definitions. For example, assume that you have a group of servers in an address range and all but one of them is used for Application A. One of them will be used for Application B, but you don't know which one yet.

You can start by defining Application A as:

Application_A   172.16.0.0/12

At some later time, you can add the definition:

Application_B   172.16.0.100

You can then set the priority of the Application B definition to be higher than the priority of the Application A definition. NetProfiler looks at the highest priority definition first. So traffic to and from host 172.16.0.100 is classified as belonging to Application B. All traffic in the 172.16.0.0/12 range except for 172.16.0.100 is classified as belonging to Application A.

Application mappings are automatically assigned priorities at the time they are created.  The first mapping you create is assigned Priority 1 (the highest priority).  The second mapping you create is assigned Priority 2, and so forth.

NetProfiler looks for traffic that meets Priority 1 mapping first. If it finds traffic that matches the first priority mapping, it designates the traffic as belonging to that application. If the traffic does not match the first priority mapping, then NetProfiler checks it against the Priority 2 mapping.  

NetProfiler continues to successively check traffic information against mappings. Therefore, it is recommended that you assign first priority to the application with the highest volume of traffic.

If you change a priority or delete an application mapping, all priority levels are automatically adjusted so that there are no gaps in the sequence of priorities.

System-generated mappings (known protocols and known ports) are automatically a lower priority than any user-created application mapping. The priority of system-generated mappings cannot be changed.

To change an application mapping priority

  1. Go to the Definitions > Application page General tab.

  2. Locate the application in the Application Mapping section.

  3. In the Priority column, choose the priority number. This opens a window in which you can specify the priority.

  4. Enter the new priority for the application mapping.

Application definitions

Definitions