This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Top Applications - How to Drill Down for More information?

The Sophos UTM dashboard has a topic section called "Top Applications". It shows a table of Applications and the Total traffic for each application. Applications include obvious ones like "HTTP" and "SSL". I found an application that caught my notice, and I would like to understand it better. I would prefer not to list it here.

At the moment, all I know is the name of the application, and that its traffic involved several hundred megabytes of data. 

Here are my questions:

* How does the UTM determine which application is running for which traffic? Is it as simple as UDP or TCP destination port, or is there more to it? How can I figure out what an application name means or how the UTM defines it? (A simple web search for the application name turned up the incorrect information.)

* Is there a way to drill down to determine which local hosts were running or connecting to that application and when they connected to it?

* Are there logs that show more detailed information? I looked at various logs, but could not find the listed application by name. 



This thread was automatically locked due to age.
  • Okay - I dug into the help files, and through them I found more:

    The Applications can be found in Web Protection -> Application Control. If you click "Add Rule" and then click the folder in the "Control these Applications:" frame, you will see a list of applications appear. My UTM lists 1991 applications. The applications themselves are a hodgepodge of domains/websites and protocols (ports?). In other words, it is a mix.

    Each application is assigned to one of these categories: Collaboration, Database, File Transfer, Games, Mail, Messaging, Network Monitoring, Networking, Proxy, Remote Access, Social Networking, Streaming Media, VPN and Tunneling, or Web Services.

    Each application has an "i" to reveal a text description with additional information. Sometimes the description tells you if the application is a website or a protocol. Descriptions vary in how much detail they reveal.

    I found these sites, which have different versions of the same information in nice, tabular lists:

    documentation.solarwinds.com/.../core-list-of-quality-of-experience-qoe-applications.htm

    https://wiki.untangle.com/index.php/Application_Control_Application_List 

    I also found this text file at PasteBin, which shows a raw configuration file. It has many of the same definitions, but is missing the application I wanted to dig into. It is also missing the technical definitions of how each Application entry is determined by the UTM:

    https://pastebin.com/kxFwDHQ3

    -> Now that I have found the list of Applications and additional descriptive information, where can I find how their actual definitions are configured? The ones that the UTM uses to examine packets and match them to the listed applications?

    -> I would like to see their precise definitions, the ones used by the UTM to determine which packet belongs to which Application, not just someone's interpretations or text description. 

    Any help would be appreciated. Thanks!