On Sep 06, "Adam Powers" wrote: > So what did we decide? > > 1. That there are likely NetFlow caching bugs that cause SRC and DST to be > 0.0.0.0 (yes Kevin, I have indeed seen this, though it's SUPER rare). > 2. That PROTO 0 is valid and can be seen when the PROTO in the original > datagram is 0. > 3. That MPLS encap non-IP can cause PROTO == 0 but is characterized by other > null fields such as TCP, TOS, and SRC/DST L4 port.
Sounds good to me. As far as answering whether 2 is the cause of the 0's, one should ask oneself how much protocol-0 traffic they're seeing and whether the amount netflow is reporting could be reality. I had to span/tcpdump a host that kept getting a lot of 0.0.0.0 traffic to finally confirm to myself that it wasn't some mean hacker sending me weird packets, it was just the stupid 6506's sending me lame PDUs. It's also worth mentioning that I've seen DOS's that use invalid/imaginative protocol numbers, so the 0 could just be some hacker's idea of a good time. > Gotta love this NetFlow stuff at times. :) Mike _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
