Because there are unique ICMP types. They needed it to work out somehow. Otherwise the information would be useless for ICMP.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, July 14, 2010 4:55 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] netflow O/P for icmp and other non tcp/udp Correct Tyson. I was wondering why for ICMP alone which doesn't have source port/destination, the IOS is using Type value... With regards Kings On Tue, Jul 13, 2010 at 9:46 PM, Tyson Scott <[email protected]> wrote: Other IP protocols will never have a source destination port because there is no concept of it. That is why ESP is not supported by NAT/PAT and you need to enable NAT-T so that it will run over port 4500. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: Kingsley Charles [mailto:[email protected]] Sent: Tuesday, July 13, 2010 11:16 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] netflow O/P for icmp and other non tcp/udp True Tyson but what about other protocols like ESP, AH, GRE... Please have look below, for GRE sport/dport is 0000/0000 router#sh ip cache flow IP packet size distribution (122557 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .000 .380 .247 .057 .142 .062 .050 .059 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 18 active, 4078 inactive, 62336 added 1123004 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 25800 bytes 36 active, 988 inactive, 78289 added, 62234 added to flow 0 alloc failures, 0 force free 1 chunk, 2 chunks added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 129 0.0 87 41 0.0 21.5 14.1 TCP-FTP 19 0.0 1 60 0.0 0.0 15.3 TCP-WWW 19 0.0 3 50 0.0 0.2 1.5 TCP-other 135 0.0 1 66 0.0 0.0 15.5 UDP-DNS 35976 0.0 1 83 0.0 0.0 15.4 UDP-TFTP 3119 0.0 7 49 0.0 29.5 15.4 UDP-other 10392 0.0 3 138 0.0 2.2 15.4 ICMP 12527 0.0 1 152 0.0 1.5 15.0 GRE 1 0.0 10 124 0.0 0.8 15.4 IP-other 1 0.0 4 40 0.0 0.0 15.9 Total: 62318 0.1 1 98 0.2 2.2 15.3 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Gi0/1 10.20.30.41 Local 10.20.30.42 2F 0000 0000 5 With regards Kings On Tue, Jul 13, 2010 at 8:14 PM, Tyson Scott <[email protected]> wrote: The destination port is the ICMP type. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, July 13, 2010 8:15 AM To: [email protected] Subject: [OSL | CCIE_Security] netflow O/P for icmp and other non tcp/udp Hi all What will be the source and destination port for non-TCP/UDP flows. For instance, if you look below - first O/P is for ICMP request and the second O/P is for ICMP reply. router2#sh ip cache flow IP packet size distribution (117476 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .000 .366 .252 .056 .145 .064 .052 .060 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 2 active, 4094 inactive, 59946 added 1080909 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 25800 bytes 4 active, 1020 inactive, 73509 added, 59844 added to flow 0 alloc failures, 0 force free 1 chunk, 2 chunks added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 111 0.0 90 41 0.0 22.5 14.0 TCP-FTP 19 0.0 1 60 0.0 0.0 15.3 TCP-WWW 19 0.0 3 50 0.0 0.2 1.5 TCP-other 134 0.0 1 66 0.0 0.0 15.5 UDP-DNS 34112 0.0 1 84 0.0 0.0 15.4 UDP-TFTP 3051 0.0 7 49 0.0 29.8 15.4 UDP-other 9979 0.0 3 138 0.0 2.1 15.4 ICMP 12519 0.0 1 152 0.0 1.5 15.0 Total: 59944 0.1 1 99 0.2 2.2 15.3 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Gi0/1 10.20.30.41 Local 10.20.30.42 01 0000 0800 15 router2#ping 10.20.30.41 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.20.30.41, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms router2#sh ip cache flow IP packet size distribution (117497 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .000 .366 .252 .056 .145 .064 .052 .060 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 5 active, 4091 inactive, 59950 added 1080960 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 25800 bytes 10 active, 1014 inactive, 73517 added, 59848 added to flow 0 alloc failures, 0 force free 1 chunk, 2 chunks added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 111 0.0 90 41 0.0 22.5 14.0 TCP-FTP 19 0.0 1 60 0.0 0.0 15.3 TCP-WWW 19 0.0 3 50 0.0 0.2 1.5 TCP-other 134 0.0 1 66 0.0 0.0 15.5 UDP-DNS 34112 0.0 1 84 0.0 0.0 15.4 UDP-TFTP 3051 0.0 7 49 0.0 29.8 15.4 UDP-other 9979 0.0 3 138 0.0 2.1 15.4 ICMP 12520 0.0 1 152 0.0 1.5 15.0 Total: 59945 0.1 1 99 0.2 2.2 15.3 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Gi0/1 10.20.30.41 Local 10.20.30.42 01 0000 0000 15 With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
