I don't have that specific problem (seeing multi-port unmonitored traffic) after enabling "monitor all ports", but even so, there's no way to use NTA to completely profile all traffic for a host that talks on lots of different ports. This is because you can't get more than the top 100 results for any given NetFlow search, and because NTA rapidly summarizes data and drops the bottom 5% of flows in most configurations. This is supposedly going to be fixed in NTA 4, but until then you'd have to use another tool. Wireshark or Tshark can easily produce that data from a pcap. Bro Network Security Monitor is my personal favorite for that sort of thing.
↧