Craig Macdonald wrote: > If the port number is random, try looking at the port number > for the other port. ie Destination port. Your 1st and 2nd > reports look identical to me - the converse one would be more > interesting. Does the other end destination IP address vary?
Yes - IP traffic originates from is always different. Here is destination port report for 02/08 and 10/08 (The two days last month where the anomaly occurred): # ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | ./flow-filter -f netflow_acls/minter_palm_beach.acl -D subnet| ./flow-stat -f5 -S2|more # --- ---- ---- Report Information --- --- --- # # Fields: Total # Symbols: Disabled # Sorting: Descending Field 2 # Name: UDP/TCP destination port # # Args: ./flow-stat -f5 -S2 # # # port flows octets packets # 445 793 4295114888 1487 1392 16 81406 324 1321 1 64277 112 1357 2 63607 139 # ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-10/ | ./flow-filter -f netflow_acls/minter_palm_beach.acl -D subnet| ./flow-stat -f5 -S2|more # --- ---- ---- Report Information --- --- --- # # Fields: Total # Symbols: Disabled # Sorting: Descending Field 2 # Name: UDP/TCP destination port # # Args: ./flow-stat -f5 -S2 # # # port flows octets packets # 3370 23 4294979685 71 1161 2 2101542 1469 1171 1 1921981 1339 The port 445 could be virus-related, but 10/08 is 3370. > > You can identify p2p traffic by many flows on p2p-ish ports, > eg many flows on 6346, 6347, 6348 etc. To investigate an > interesting internal client, I normally look to see what > *destination* ports traffic coming *from* it has. I originally thought it had to be P2P or Virus-related....but now I'm not so sure. Thanks for the info. Regards, MB > > Craig Macdonald > [EMAIL PROTECTED] > > On Fri, 10 Sep 2004, Michael Bellears wrote: > >> We have a DSL client who occasionally(2 Days a month) has 4G worth >> of downloads. >> >> Looking at the traffic for the affected days, I am seeing the >> following... >> >> Port is always random: >> >> ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | >> ./flow-filter -f netflow_acls/minter_palm_beach.acl -D subnet | >> ./flow-stat -f6 -S2|more # --- ---- ---- Report Information --- --- >> --- # # Fields: Total >> # Symbols: Disabled >> # Sorting: Descending Field 2 >> # Name: UDP/TCP source port >> # >> # Args: ./flow-stat -f6 -S2 >> # >> # >> # port flows octets packets # >> 3233 2 4294967446 3 >> >> 80 180 784671 > 1364 >> >> Flows + Packets are always very minimal, but Octets large: >> >> # ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | >> ./flow-filter -f netflow_acls/minter_palm_beach.acl -D subnet| >> ./flow-stat -f6 -S2|more # --- ---- ---- Report Information --- --- >> --- # # Fields: Total >> # Symbols: Disabled >> # Sorting: Descending Field 2 >> # Name: UDP/TCP source port >> # >> # Args: ./flow-stat -f6 -S2 >> # >> # >> # port flows octets packets # >> 3233 2 4294967446 3 >> >> 80 180 784671 1364 >> >> Always protocol 6: >> >> ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | >> ./flow-filter -f netflow_acls/minter_palm_beach.acl -D subnet| >> ./flow-stat -f12|more # --- ---- ---- Report Information --- --- >> --- # # Fields: Total # Symbols: Disabled >> # Sorting: None >> # Name: IP protocol >> # >> # Args: ./flow-stat -f12 >> # >> # >> # protocol flows octets packets # >> 50 1 1152 8 >> >> 17 282 101586 325 >> >> 6 1746 4296584503 6246 >> >> 1 75 4514 83 >> >> Always from single IP: (This IP is different evertime): >> >> # ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | >> ./flow-stat -f10 -S3 |grep 203.149.69.54|more >> 66.183.10.168 203.149.69.54 2 4294967446 3 >> >> Anyone have any idea what could cause this type of traffic? >> >> Regards, >> MB >> >> _______________________________________________ >> Flow-tools mailing list >> [EMAIL PROTECTED] >> http://mailman.splintered.net/mailman/listinfo/flow-tools _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
