[181125] in North American Network Operators' Group
Re: Fkiws with destination port 0 and TCP SYN flag set
daemon@ATHENA.MIT.EDU (Maqbool Hashim)
Wed Jun 17 05:37:41 2015
X-Original-To: nanog@nanog.org
From: Maqbool Hashim <maqbool@madbull.info>
To: Marcin Cieslak <saper@saper.info>
Date: Wed, 17 Jun 2015 09:34:46 +0000
In-Reply-To: <alpine.BSF.2.11.1506170928530.7491@z.fncre.vasb>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hi,
The destination host is sending an ACK+RST with the source port set to zero=
. The destination IP is always one of the two hosts that are generating th=
e SYN packets with a destination port of 0. The destination port however i=
s hard to match up to a source port in the original SYN packet due to the f=
act that we don't have all the packets.
It's actually going to be difficult to get the access and procedural sign o=
ff etc. to run tcpdump on the machines involved. What might be easier is t=
o set up a span port for the hosts access port on the switch and grab that =
via the collector laptop I have.
Thanks,
MH
________________________________________
From: Marcin Cieslak <saper@saper.info>
Sent: 17 June 2015 10:30
To: Maqbool Hashim
Cc: nanog@nanog.org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set
On Wed, 17 Jun 2015, Maqbool Hashim wrote:
> It is always the same destination servers and in normal operations
> these source and destination hosts do have a bunch of legitimate flows
> between them. I was leaning towards it being a reporting artifact,
> but it's interesting that there are a whole set of Ack Reset packets
> from the destination hosts with a source port of 0 also.
So the destination host is sending ACK+RST with the *source* port
set to zero, or the *destination* port?
> Does this not indicate that it probably isn't a reporting artifact?
I would just tcpdump on one of the source machines to find out.
~Marcin
