What are Port_xxxx classes?


Article ID: 167731


Updated On:




A Port_xxxx class corresponds to traffic on a specific port number. For example, UDP_Port_2301 is UDP traffic on port 2301. Anything classfified in a Port_xxxx class is traffic that PacketWise could not auto-classify as a known service.


If PacketWise sees a flow that cannot be classified automatically under one of the known services, it will go into the Inbound/Default or Outbound/Default class. Once the traffic hits the Default class, the discovery mechanism for Port classes kicks in:

* PacketWise looks at the destination port of the very first packet; all other packets associated with this flow still have the flow defined by the first packet’s port numbers regardless of the individual packet’s direction and source/destination fields.

* PacketWise creates a Port_#### class in the DiscoveredPorts folder when it sees 11 new connections to a static port within a one-minute time frame. Although 11 is the default, this value is a system variable (Static Ports) that can be adjusted. See Adjust System Variables in PacketGuide.

You can research what a port number might be by looking at http://www.iana.org/assignments/port-numbers

To track down the servers generating the unknown traffic, you can enable Top Talkers/Top Listeners for the Port_xxxx class.

For more information on this feature, see Track Hosts that Generate the Most Trafficin PacketGuide.