[Flow-tools] Protocol 0

Wed, 31 Aug 2005 17:09:52 -0700 

19 of last month, one of our clients data usage reported unusual results
(Large Protocol 0 ingress traffic):

# ./flow-cat -a /netflow/oar/krc3.v5/2005/2005-08/2005-08-19/ |
./flow-filter -f netflow_acls/prof_invest_fibre.acl -Dfoo -Sbar|
./flow-stat -f12 |more
flow-cat: Warning, partial inflated record before EOF
#  --- ---- ---- Report Information --- --- ---
#
# Fields:    Total
# Symbols:   Disabled
# Sorting:   None
# Name:      IP protocol
#
# Args:      ./flow-stat -f12 
#
#
# protocol  flows                 octets                packets
#
50          1826                  33710912              105330

17          12599                 14056361              39544

6           17185                 325512821             426827

1           1855                  952723                10730

0           28                    25226402880           98228468800


I've isolated the traffic to have originated from the Router:

# ./flow-cat -a /netflow/oar/krc3.v5/2005/2005-08/2005-08-19/ |
./flow-filter -f netflow_acls/prof_invest_fibre.acl -Dfoo -Sbar|
./flow-print

srcIP            dstIP            prot  srcPort  dstPort  octets
packets
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600
192.168.1.2      203.149.66.30    0     24       0        900942960
3508159600

Anyone have ideas on what could have caused this?

flow-tools-0.66
Debian 3.1
Cisco 7204VXR 12.3(15)

Regards,
MB
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to