[181123] in North American Network Operators' Group
Re: Fkiws with destination port 0 and TCP SYN flag set
daemon@ATHENA.MIT.EDU (Marcin Cieslak)
Wed Jun 17 05:30:54 2015
X-Original-To: nanog@nanog.org
Date: Wed, 17 Jun 2015 09:30:47 +0000
From: Marcin Cieslak <saper@saper.info>
To: Maqbool Hashim <maqbool@madbull.info>
In-Reply-To: <HE1PR02MB073286C33FD185A3D825BA90D6A60@HE1PR02MB0732.eurprd02.prod.outlook.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Wed, 17 Jun 2015, Maqbool Hashim wrote:
> It is always the same destination servers and in normal operations
> these source and destination hosts do have a bunch of legitimate flows
> between them. I was leaning towards it being a reporting artifact,
> but it's interesting that there are a whole set of Ack Reset packets
> from the destination hosts with a source port of 0 also.
So the destination host is sending ACK+RST with the *source* port
set to zero, or the *destination* port?
> Does this not indicate that it probably isn't a reporting artifact?
I would just tcpdump on one of the source machines to find out.
~Marcin
