nanog mailing list archives
Fkiws with destination port 0 and TCP SYN flag set
From: Maqbool Hashim <maqbool () madbull info>
Date: Wed, 17 Jun 2015 08:44:34 +0000
Hi, I am doing some flow analysis within our network primarily for understanding application flows to aid in network segregation activity and mainly understand what is going on inside the network. To do this I have been using netflow where the switches/firewalls support it. In some cases I have used a monitor port and fed full packet capture into the nfdump toolset for conversion into flows. There is a portion of our network where the switches only support sflow which is not ideal, but hopefully will be able to gather enough data over time to be useful. One of the things I was trying to identify was flow initiation, i.e. the client and server in the flow- so filtered for TCP packets with SYN flag set. It was at this point that I saw TCP SYN packets with a destination port of 0. I have seen this discussed before in this thread http://www.gossamer-threads.com/lists/nanog/users/155141 It was stated in that thread that netflow reports source/dest port 0 for non-initial fragments. My question was is this what I am seeing here, so any SYN packet with dest port 0 is a non-initial fragment seen by the tool? Therefore should I always see a corresponding response with Ack and Reset flags set? I do see a set of flows with R and A set with a source port of 0, all the dest port 0 flows have the SYN flag set, but it's hard to find ones that match a SYN packet due to only receiving a sample of flows. Some notes on the setup: Capture is from inside one VLAN Switches are sending sflow back to analysis tools, sampling rate of 1/1024 packets Using nfdump suite of tools for analysis. sfcapd as as the collector Thinking about this, is what I am seeing a symptom of the fact that the tools don't see all packets, i.e. the tools don't see the initial fragment due to sampling. However I still don't quite understand it appearing with the SYN flag set? I am starting to think that for these purposes I might be better abandoning sflow and go with setting up collectors on the switches to get full flow information for my purposes. Any clarification/input much appreciated. Regards MH
Current thread:
- Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Roland Dobbins (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Marcin Cieslak (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Pavel Odintsov (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Pavel Odintsov (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Roland Dobbins (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Roland Dobbins (Jun 17)