Quires on Cisco NAM2

Unanswered Question
Feb 20th, 2007

I have the following Queries on Cisco Network Analyzer Module WS-SVC-NAM-2 which installed on Core switch 6500 series.

1. When monitoring Application; some applications appears as 'tcp-unknown' or 'gre-unknow' how could we know the type of this application monitored by the NAM.

2. Some reports appear to have missing data between some intervals.

3. Traffic monitored for specific VLAN is less than the traffic monitored for one host that belongs to that VLAN.

I have more queries, but those are the mort important for me.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
ayganesa Mon, 02/26/2007 - 21:23

The "others" issue is a known issue. We are addressing it in the

upcoming 3.5 release. The issue stems from

the fact that on the NAM GUI we only show protocolDir leaf nodes. In the

RMON-II standard packets

are parsed and counted up all the protocol layers until no further

differentiation is known by the parser.

So e.g. if it is a unknown TCP port, counting stops at TCP. But TCP is

not a leaf protocol and does

now show up (except in "others") in the GUI. In 3.5. we introduce a

bunch of xxx-unknown protocols

e.g. ip-unknown, tcp-unknown that are real leaf protocols where those

packets are counted. As they

are real protocols in the protocolDir we will collect stats on them

(hosts, conversations, etc) and they

can be captured.

wmulla465 Mon, 02/26/2007 - 22:38

Thanks a lot Mr.Ayganesa for your replay. but could i know the TCP Ports that those protocols are using?

ayganesa Fri, 03/02/2007 - 11:32

hi there,

I would say the other/unknown ports are not specific to port numbers of tcp ( I have put more explanation below on that.) To address th e new question, NAM does not have an easy way to see the TCP port via the GUI

interface. However, you can session into the NAM and run "show config" and look for the

"monitor protocol" section.

For example:

monitor protocol


name "w-ether2.ip.tcp.http"

addressmap not-applicable

host enable

conversations enable

art disable


In the above long port-pecifier, you will see 80 which is the TCP port for HTTP.

You can dump your "show config" output to a file and then sort this file out using an


NAM comes with a good list of application protocols. You are right, other

means, it's the application that has not been defined in NAM. However, NAM

displays the first 100 unknown protocols using the format "Layer4-port

number it saw this protocol on". So, the example for this is the

application in your screenshot is udp-17234. Custoemrs can save this by

going to Setup-->Monitor-->Protcol directory. Customers can give it a name

that they recognize.

For your original question on other/unknown -

Once the unknown protocols cross the 100 range, they are all grouped under

"other" category.

In 3.1 and 3.3 releases, the number of unknown protocols monitored are 100. It has been increased to a maximum of 500 (user definable) in 3.4


This Discussion