[181120] in North American Network Operators' Group
Fkiws with destination port 0 and TCP SYN flag set
daemon@ATHENA.MIT.EDU (Maqbool Hashim)
Wed Jun 17 04:44:40 2015
X-Original-To: nanog@nanog.org
From: Maqbool Hashim <maqbool@madbull.info>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 17 Jun 2015 08:44:34 +0000
Errors-To: nanog-bounces@nanog.org
Hi,
I am doing some flow analysis within our network primarily for understandin=
g application flows to aid in network segregation activity and mainly under=
stand what is going on inside the network. To do this I have been using ne=
tflow where the switches/firewalls support it. In some cases I have used a=
monitor port and fed full packet capture into the nfdump toolset for conve=
rsion into flows.
There is a portion of our network where the switches only support sflow whi=
ch is not ideal, but hopefully will be able to gather enough data over time=
to be useful. One of the things I was trying to identify was flow initiat=
ion, i.e. the client and server in the flow- so filtered for TCP packets wi=
th SYN flag set.
It was at this point that I saw TCP SYN packets with a destination port of =
0. I have seen this discussed before in this thread http://www.gossamer-t=
hreads.com/lists/nanog/users/155141
It was stated in that thread that netflow reports source/dest port 0 for no=
n-initial fragments. My question was is this what I am seeing here, so any=
SYN packet with dest port 0 is a non-initial fragment seen by the tool? T=
herefore should I always see a corresponding response with Ack and Reset fl=
ags set? I do see a set of flows with R and A set with a source port of 0,=
all the dest port 0 flows have the SYN flag set, but it's hard to find one=
s that match a SYN packet due to only receiving a sample of flows.
Some notes on the setup:
Capture is from inside one VLAN
Switches are sending sflow back to analysis tools, sampling rate of 1/1024 =
packets
Using nfdump suite of tools for analysis. sfcapd as as the collector
Thinking about this, is what I am seeing a symptom of the fact that the too=
ls don't see all packets, i.e. the tools don't see the initial fragment due=
to sampling. However I still don't quite understand it appearing with the=
SYN flag set?
I am starting to think that for these purposes I might be better abandoning=
sflow and go with setting up collectors on the switches to get full flow i=
nformation for my purposes.
Any clarification/input much appreciated.
Regards
MH
