Re: Fkiws with destination port 0 and TCP SYN flag set

[Maqbool Hashim <maqbool () madbull info>]

Hi

Thanks for the response.  There are lots of different source ports all above 10,000 (e.g. 42628,42927,39050).  It is 
always two redhat machines generating the traffic, can't be 100% sure due to the sampling but pretty sure the capture 
has been running for 24 hours or so.    It is always the same destination servers and in normal operations these source 
and destination hosts do have a bunch of legitimate flows between them.  I was leaning towards it being a reporting 
artifact, but it's interesting that there are a whole set of Ack Reset packets from the destination hosts with a source 
port of 0 also.  Does this not indicate that it probably isn't a reporting artifact?

Maybe I need to setup collectors and span ports on all the switches involved to get to the bottom of this.  Just 
feeling like we need to look at *all* the packets not the sample!

Regards,

MH

________________________________________
From: NANOG <nanog-bounces () nanog org> on behalf of Roland Dobbins <rdobbins () arbor net>
Sent: 17 June 2015 10:07
To: nanog () nanog org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set

On 17 Jun 2015, at 10:44, Maqbool Hashim wrote:

> It was stated in that thread that netflow reports source/dest port 0
> for non-initial fragments.

Fragmentation in this context only applies to UDP packets.

If the destination of a TCP SYN is being reported as 0 (what's the
source port?), either it's a reporting artifact of some kind or in fact
a SYN destined to TCP/0 (we see this with SYN-floods, sometimes, as well
as with attacks attempting to bypass ACL/firewall rules and related to
compromise).

-----------------------------------
Roland Dobbins <rdobbins () arbor net>