Thought I might bring this thread back. Just encountered a customer that is seeing PROTO == 0, IP_DEST == 0, SRC_PORT == 0, DEST_PORT == 0, etc.
Seeing entire PDUs full of "null field" records. This really seems to be an IOS error rather than some real network scenario. IOS: 12.2(18)SXD4 Platform: WS-C6509-E Will advise if a reboot clears the condition. On 9/7/05 12:30 AM, "Mike Hunter" <[EMAIL PROTECTED]> wrote: > On Sep 06, "Adam Powers" wrote: > >> So what did we decide? >> >> 1. That there are likely NetFlow caching bugs that cause SRC and DST to be >> 0.0.0.0 (yes Kevin, I have indeed seen this, though it's SUPER rare). >> 2. That PROTO 0 is valid and can be seen when the PROTO in the original >> datagram is 0. >> 3. That MPLS encap non-IP can cause PROTO == 0 but is characterized by other >> null fields such as TCP, TOS, and SRC/DST L4 port. > > Sounds good to me. As far as answering whether 2 is the cause of the 0's, > one should ask oneself how much protocol-0 traffic they're seeing and > whether the amount netflow is reporting could be reality. I had to > span/tcpdump a host that kept getting a lot of 0.0.0.0 traffic to finally > confirm to myself that it wasn't some mean hacker sending me weird > packets, it was just the stupid 6506's sending me lame PDUs. It's also > worth mentioning that I've seen DOS's that use invalid/imaginative > protocol numbers, so the 0 could just be some hacker's idea of a good time. > >> Gotta love this NetFlow stuff at times. > > :) > > Mike -- Adam Powers Director of Technology Lancope, Inc. c. 678.725.1028 e. [EMAIL PROTECTED] _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
