Support Knowledge Center

Support Article

Back to search

Traffic That Should Be Application X is Classified as Application Y


Article Number: 000001418
Published: October 14, 2016
Categories: Software
When dealing with looking at real time monitoring in an Exinda, it is possible to see known traffic which is of one type be erroneously classified as another application. This 'wrong classification' can happen for many reasons.
The Exinda uses extensive classification algorithms in order to figure out what the traffic coming into the Exinda is. Some applications and protocols that have not been modified in a very long time (ie, DNS, DHCP, HTTP) have extremely reliable classification due to how stable and unchanging they have been over time, however, newer applications or applications that make major changes to how they operate in updates can sometimes be classified incorrectly, regardless of the fact that the Exinda has an already existing application definition for them. The following are a few different examples of how / why a classification would misclassify:
  • Similar Application Behaviour (ie, video conferencing software being misclassified as other video conferencing software)
  • Application uses some P2P protocols in its back end (ie, video games using P2P connectivity for multiplayer components)
  • Applications utilizing the same ports with similar traffic types
While those are common situations, it is possible to see traffic be misclassified as something wildly different than what is supposed to be. It is often seen in the 2nd case, where applications are being classified as some sort of P2P application such as Bittorrent or eDonkey due to how they operate. The Exinda, depending on the Bittorrent Sensitivity level set (Configuration > System > Setup, under the "Monitoring" tab), will take a stronger or weaker position on classifying potential P2P / Bittorrent applications.
The way that applications are defined in the Exinda are a combination of the following:
  • Ports (TCP / UDP)
  • Protocol Identifiers and Information Relating to Operation (ie, web domain names, SSL certificate information)
  • Layer 7 Definitions
  • Destination (IPs, subnets)
L7 Definitions are developed based on traffic patterns and packet level information. These can take some time to develop and, as applications update, their traffic patterns may change and as a result, the communication through the Exinda will be slightly different than the existing definition, leaving the Exinda to make a choice as to what application definition to apply. 

There is also a definition hierarchy based on the type of classification used. L7 application takes the highest priority (ie, if traffic matches an L7 definition then it will stay as that definition). Destination IP and subnets follow, then protocol, then ports. For example, in the case of ports: 
  • An attempt is made to match the destination port
  • If there is no destination port match, the source port is used.
  • If there is no match on the source port, it uses the protocol.
Known Misclassifications as of September 2016:
  • Call of Duty Black Ops 3 multiplayer being classified as P2P traffic (known on Xbox One, unknown other platforms)
  • Snapmirrortraffic being clssified as Bittorrent (D-05154)
  • Dark Souls 2 sometimes being misclassified as Bittorrent
  • G711/722 being misclassified (D-06053)
  • Jabber classification not working correctly¬†(D-04621)
Previous Misclassifications:
  • Crashplan Pro misclassifying as Skype (D-05027 - has been resolved in 7.4.3)
  • Netflix classifying as HTTPS (D-05891 - has been resolved in v7.4.3)
  • Some Netflix misclassifying as HTTPS (D-04781 - has been resolved in 7.4.3)
  • Windows Update misclassifying as HTTPS (D-05814)
  • Skype Classification operating incorrectly (D-04779 - has been resolved in 7.4.4)
  • Facebook Video misclassifying as RTP (D-04780 - has been resolved in 7.4.4)
  • EA Sports video game multiplayer often being classified as P2P traffic (known on XBox One, unknown other platforms) (D-05072 - has been resolved in 7.4.4)
  • Betternet VPN being classified as Gamekit and other applications (D-05065 - has been resolved in 7.4.4)
  • Path of Exile being classified as Bittorrent (D-06285 - has been resolved in 7.4.4)