• Home
• Products
  • Overview
  • Traffic Sentinel
  • sFlowTrend
  • sFlowTrend-Pro
  • sFlow-RT
  • Hyper-V Agent
  • Customer Portal
  • Purchase
• Technology
  • sFlow
  • Whitepapers
  • sFlow Toolkit
  • Developer Tools
• Purchase
  • How to Purchase
• Support
  • Overview
  • FAQs
  • Tutorials
  • Discussion
  • Downloads
• About Us
  • Overview
  • Management
  • Customers
  • Partners
  • Licensees
  • Reseller Info
  • News & Events
  • Contact

Support

• Overview
• FAQs
• Tutorials
• Discussion
• Downloads

Grouping traffic by protocol

TCP/UDP port numbers can be used to infer the type of traffic. Traffic Server provides a "protocol grouping" mechanism that allows well known ports to be identifies and grouped together to identify classes of traffic. For example, traffic to or from TCP port 80 can be identified as HTTP (Web) traffic.

Each TCP/UDP packet has both source and destination port numbers. Typically, one of these numbers will correspond to a well known service and the other will be an arbitrary number assigned by the host. There are two steps in trying to classify traffic.

The first step involves identifying which of the two ports is the "well known". The second step groups a range of well known ports into a named service, such as web, file-transfer, or login.

[enterprise]
name = "InMon Corp."

...
protocol.priority.TCP = 1-1024,2049,6000-6010,8080,8088 
protocol.group.TCP.login = 22,23,513 
protocol.group.TCP.web = 80,8080,8088 
protocol.group.TCP.file-transfer = 20,21,139 
protocol.group.TCP.privileged = 1-1024 
protocol.group.TCP.X11 = 6000-6010 

protocol.priority.UDP = 1-512,2049,513-1024,6343,9985-9995,19981-19991 
protocol.group.UDP.DNS = 53 
protocol.group.UDP.snmp = 161,162 
protocol.group.UDP.nfs = 2049 
protocol.group.UDP.netbios = 137-139

...

Figure 1 shows an example of configuring protocol settings. The protocol.priority.TCP setting ranks the provides a priority ordering of port number that will be used to establish which of the source or destination port number to use to classify the protocol. In this example the priority order is 1-1024,2049,6000-6010,8080,8088. The application of the priority list is best illustrated by example. A packet with source port 22 and destination port 3123 would be classified using port 22 since 22 is includes in the 1-1024 range and 3123 isn't even listed. A packet with source port 8088 and destination port 20 would be classified using port 20 since 20 is included in the 1-1024 range and this is listed before 8088. Once the packet has been classified the port is matched to one of the protocol.group lists. Referring to the previous two examples, port 22 would be assigned the group login and port 20 would be assigned the group file-transfer.

The protocol.group classifications are used when making queries and generating reports. Specifically traffic on links can be broken out by groups when plotting long term trends (see Long term trending of interface counters). In addition, the protocolGroup field can be included as a resultField in most queries (see Help : Query). Finally, protocolGroup can be used as a categoryColumn when creating report templates (see Help : Reports : Templates).