On Feb 02, "Dustin" wrote: > This may have been discussed, but I don't find any results in the archives. > We are troubleshooting some performance issues, have Cisco routers, and > just started using flow-tools to capture data. I've issued flowstat > with the following args:
> flow-stat -f5 -p -S2 > > # port flows octets packets > # > 0 425 68968722 51238 > 445 10886 51125320 372789 > 1494 710 26667144 524757 > 31889 1800 21081243 50199 > 3905 101 20985596 19102 > As you can see, most of the traffic is generated with lower number of > sessions & packets, but w/ higher amount of data. We would like to know > exactly what this traffic is, why is the majority of traffic lumped into > "port 0"? Non-TCP/UDP stuff would show up as port 0. (ICMP type and code are encoded in the port field.) Why don't you try doing a flow-print -f 5 to see what the 0 port stuff is...hopefully that will tell you if it's malicious or benign. Mike _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
