On Sep 05, "Vladimir Kotal" wrote: > On Thu, Sep 01, 2005 at 10:03:43AM -0400, Adam Powers wrote: > > Proto 0 is actually a valid IP proto number though I've never really seen it > > used, especially not in large quantity (It's Hop by Hop IPv6 Option). > > > > This holds only for Netflow implementations which support IPv6 pkts, right ? > (v9 ?) > > > Vladimir, can you elaborate on the dropped flow indicator? I'm curious. > > Flows that are sent to Null0 or otherwise do not leave the router due to no > > valid route will usually have a egress IF set to null and a nexthop of null > > but I don't think I've seen Proto set to zero yet. > > > > According to one CCIE, generally it holds that > 'dropped packet => NULL DstIf' > > However, the opposite implication is not valid, so this means that nothing > can be deduced from NULL DstIf. It could mean process-switching punt, > unroutable, no cef or route to Null0. To distinguish between these cases, > it is necessary to look into counters like: > sh policy-map int > sh tcam int Vl10 acl in ip > sh int stats > sh ip traffic > > According to the CCIE, Protocol 0 could be present in Netflow packets only if > it was present in original IP packet (so I was wrong in that assumption). > > Protocol 0 could be also present in MPLS Netflow for MPLS-encapsulated > non-IP traffic but in that case also src/dst IP addr, TOS, ports, TCP > flags were 0.
Just to throw more uncertainty and rumor into the mix, I've known 6500s to produce netflow PDUs with 0.0.0.0 source and destination ips, presumably because of some bug (i.e. I looked hard and didn't see any traffic to or from anybody claiming to actually be 0.0.0.0) _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
