Re[2]: [Flow-tools] port 0

Wed, 02 Feb 2005 19:15:54 -0800 

Hi Adam��




> BTW: Here's an example frag causing port 0...

> startime       srcip      srcp   dstip       dstp   pro  pkts
> 17:01:18.307   1.1.69.40  0      2.2.16.61   0      6    4
> 17:01:18.187   1.1.69.40  2969   2.2.16.61   25     6    18
> 17:01:18.188   2.2.16.61  25     1.1.69.40   2969   6    18

> This is an SMTP flow that started a new flow at t.187 then a second frag
> flow at t.307.

> .40 was the client so I would suspect that a large email was sent caused the
> need for larger packets and ultimately the need for fragmentation.

To my understanding the above record just shows there is something
wrong with traffic between  1.1.69.40 &  2.2.16.61. If the router
fragments packets fill port number with 0, this breaks the IP packet
forwarding requirement. If client host send packet with port 0, this
should means its OS has something buggy, as port 0 is reserved.



> Look through your flow logs with something like:
> flow-cat ft* | flow-print -f 5 | awk '{if(($5==0 && $8==0 && $9==6)) print
> $0}'
> Any output you get should be a fragged TCP packet else an actual TCP flow on
> port 0 (which can happen, it's just rare).





> On 2/2/05 12:21 PM, "Dustin" <[EMAIL PROTECTED]> wrote:

>> Hello,
>>  
>> This may have been discussed, but I don't find any results in the archives.
>>  
>> We are troubleshooting some performance issues, have Cisco routers, and just
>> started using flow-tools to capture data.  I've issued flowstat with the
>> following args:
>>  
>> flow-stat -f5 -p -S2
>>  
>> # port      flows                 octets                packets
>> #
>> 0           425                   68968722              51238
>> 445         10886                 51125320              372789
>> 1494        710                   26667144              524757
>> 31889       1800                  21081243              50199
>> 3905        101                   20985596              19102
>> 
>> As you can see, most of the traffic is generated with lower number of 
>> sessions
>> & packets, but w/ higher amount of data.  We would like to know exactly what
>> this traffic is, why is the majority of traffic lumped into "port 0"?
>>  
>> TIA,
>>  
>> Dustin
>>  
>>  
>> _______________________________________________
>> Flow-tools mailing list
>> [EMAIL PROTECTED]
>> http://mailman.splintered.net/mailman/listinfo/flow-tools





-- 
 -- -- 
Regards


Jing Shen

******************************************
* The sunshine of lifetime is made up of *
* little beams which is bright all the   *
* time.                                  *
******************************************


_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to