BTW: Here's an example frag causing port 0...
startime srcip srcp dstip dstp pro pkts
17:01:18.307 1.1.69.40 0 2.2.16.61 0 6 4
17:01:18.187 1.1.69.40 2969 2.2.16.61 25 6 18
17:01:18.188 2.2.16.61 25 1.1.69.40 2969 6 18
This is an SMTP flow that started a new flow at t.187 then a second frag
flow at t.307.
.40 was the client so I would suspect that a large email was sent caused the
need for larger packets and ultimately the need for fragmentation.
Look through your flow logs with something like:
flow-cat ft* | flow-print -f 5 | awk '{if(($5==0 && $8==0 && $9==6)) print
$0}'
Any output you get should be a fragged TCP packet else an actual TCP flow on
port 0 (which can happen, it's just rare).
On 2/2/05 12:21 PM, "Dustin" <[EMAIL PROTECTED]> wrote:
> Hello,
>
> This may have been discussed, but I don't find any results in the archives.
>
> We are troubleshooting some performance issues, have Cisco routers, and just
> started using flow-tools to capture data. I've issued flowstat with the
> following args:
>
> flow-stat -f5 -p -S2
>
> # port flows octets packets
> #
> 0 425 68968722 51238
> 445 10886 51125320 372789
> 1494 710 26667144 524757
> 31889 1800 21081243 50199
> 3905 101 20985596 19102
>
> As you can see, most of the traffic is generated with lower number of sessions
> & packets, but w/ higher amount of data. We would like to know exactly what
> this traffic is, why is the majority of traffic lumped into "port 0"?
>
> TIA,
>
> Dustin
>
>
> _______________________________________________
> Flow-tools mailing list
> [EMAIL PROTECTED]
> http://mailman.splintered.net/mailman/listinfo/flow-tools
--
Adam Powers
Senior Security Engineer
Advanced Technology Group
c. 678.725.1028
o. 770.225.6521
f. 770.225.6501
e. [EMAIL PROTECTED]
AOL IM: adampowers22
StealthWatch by Lancope - Security through network intelligence�
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
