Mark Milhollan
Sent: 17 June 2015 15:05
To: NANOG list
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
On Wed, 17 Jun 2015, Maqbool Hashim wrote:
>Finally I don't see how it could be, but be interested to hear peoples
>thoughts, no legitimate application could be
On Wed, 17 Jun 2015, Maqbool Hashim wrote:
>Finally I don't see how it could be, but be interested to hear peoples
>thoughts, no legitimate application could be generating this traffic
>could it? I mean I don't see what use an application could make of
>such a TCP conversation. Discarding net
On 17 Jun 2015, at 13:56, Maqbool Hashim wrote:
Any advice on this aspect would be great, unless considered off topic.
NANOG isn't really the right alias for this sort of thing.
TCP port-scanning on TCP/0 is a common reconnaissance mechanism.
Suggest you take this to a more appropriate alia
bunch of reset + ack packets being received from the destination hosts.
Regards,
MH
From: NANOG on behalf of Maqbool
Hashim
Sent: 17 June 2015 10:54
To: Roland Dobbins; nanog@nanog.org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
Agre
RSPAN support on these switches
and no netflow :(
From: NANOG on behalf of Roland Dobbins
Sent: 17 June 2015 10:44
To: nanog@nanog.org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
On 17 Jun 2015, at 11:34, Maqbool Hashim wrote:
> W
rt in the original SYN packet due to the fact
>> that we don't have all the packets.
>>
>> It's actually going to be difficult to get the access and procedural sign
>> off etc. to run tcpdump on the machines involved. What might be easier is
>> to set u
Hmm, no flags set in your output though?
From: Pavel Odintsov
Sent: 17 June 2015 10:44
To: Maqbool Hashim
Cc: Marcin Cieslak; nanog@nanog.org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
Hello!
Looks like it's silly hping3 flood
On 17 Jun 2015, at 11:34, Maqbool Hashim wrote:
What might be easier is to set up a span port for the hosts access
port on the switch and grab that via the collector laptop I have.
It's better to collect as much information you have without perturbing
the systems involved, anyways.
---
e hosts access port on the switch and grab that via the
> collector laptop I have.
>
> Thanks,
>
> MH
>
> ____________
> From: Marcin Cieslak
> Sent: 17 June 2015 10:30
> To: Maqbool Hashim
> Cc: nanog@nanog.org
> Subject: Re: Fkiws with destination port 0 and TCP SY
collector laptop I have.
Thanks,
MH
From: Marcin Cieslak
Sent: 17 June 2015 10:30
To: Maqbool Hashim
Cc: nanog@nanog.org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
On Wed, 17 Jun 2015, Maqbool Hashim wrote:
> It is always the sam
On 17 Jun 2015, at 11:23, Maqbool Hashim wrote:
Maybe I need to setup collectors and span ports on all the switches
involved to get to the bottom of this. Just feeling like we need to
look at *all* the packets not the sample!
Concur 100%.
---
Roland Dobbins
On Wed, 17 Jun 2015, Maqbool Hashim wrote:
> It is always the same destination servers and in normal operations
> these source and destination hosts do have a bunch of legitimate flows
> between them. I was leaning towards it being a reporting artifact,
> but it's interesting that there are a who
!
Regards,
MH
From: NANOG on behalf of Roland Dobbins
Sent: 17 June 2015 10:07
To: nanog@nanog.org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
On 17 Jun 2015, at 10:44, Maqbool Hashim wrote:
> It was stated in that thread that netflow reports
On 17 Jun 2015, at 10:44, Maqbool Hashim wrote:
It was stated in that thread that netflow reports source/dest port 0
for non-initial fragments.
Fragmentation in this context only applies to UDP packets.
If the destination of a TCP SYN is being reported as 0 (what's the
source port?), either
14 matches
Mail list logo
