Protocol Data showing up as "Unclassified" or "Unclassified" in NFA

Document ID : KB000030434
Last Modified Date : 14/02/2018
Show Technical Document Details


After importing the NBAR2 Application Definitions into NFA 9.3.1 and earlier you may see Protocol data displayed as "Unclassified(*.ip.tcp.65001)" or "Unknown(*.ip.tcp.65003)"




This is caused by NBAR2 definitions that were included in the nbar2.csv file which were categorizing some data as either "unclassified" or "unknown".

To resolve, go to the the NFA "Administration->Application Definitions" page and sort by "NBAR2 Application" from lowest to highest.

Then Delete the "Unclassified" which should be NBAR2 ID 0 and "Unknown" if you have it, will be NBAR2 ID 1.


Then allow some time for data to be collected and you will no longer see the "Unclassified" or "Unknown" traffic, and it will instead show up as the lower of the two port numbers in a conversation the same way all non NBAR2 protocol data does.