In order to meet a program requirement I created a custom table to show average and peak packets per application(port)
The query is:
SELECT TOP 10 F.Application.Name, F.Port, AVG(F.TotalPackets) as Average, MAX(F.TotalPackets) as Peak
FROM Orion.NetFlow.flows F
WHERE F.IngressInterface.InterfaceID = 295 or F.IngressInterface.InterfaceID = 294
AND minutediff(F.ObservationTimestamp, GetDate()) < 15
GROUP BY F.Port
ORDER BY Average DESC
This display a table as expected but it include counts for port 0. I guessing the port 0 counts probably includes ICMP as well as some other portless traffic. In order to not confuse people I was going to ignore port 0. I've tried several time but nothing seems to do the job. I thought the new query would be something like:
SELECT TOP 10 F.Application.Name, F.Port, AVG(F.TotalPackets) as Average, MAX(F.TotalPackets) as Peak
FROM Orion.NetFlow.flows F
WHERE F.IngressInterface.InterfaceID = 294
AND F.Port <> 0
AND minutediff(F.ObservationTimestamp, GetDate()) < 15
GROUP BY F.Port
ORDER BY Average DESC
I've also tried:
F.Port != 0
F.Port > 0
F.Port >= 1
F.Port is NOT NULL
F.Port <> '0' (even though I know Orion.Netflow.Flows.Port is an int(32))
How do you ignore port 0? I've attached a picture of the table so you can see the port 0 counts.