Isn't protocol 1 ICMP? -----Original Message----- From: Dave Ellingsberg [mailto:[email protected]] Sent: Tuesday, July 12, 2011 8:32 AM To: Drew Weaver Subject: Re: [Flow-tools] Quick question about output
protocol is ICMP >>> From: Drew Weaver <[email protected]> To: "[email protected]" <[email protected]> Date: 07/12/11 7:29 AM Subject: [Flow-tools] Quick question about output The below output represents a DoS attack that occurred last night. Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets 0711.20:02:26.187 0711.20:02:26.187 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 33 0 1 1500 0711.20:02:26.223 0711.20:02:26.323 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 116 0 2 3000 0711.20:02:26.247 0711.20:02:26.247 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 94 0 1 1500 0711.20:02:26.247 0711.20:02:26.247 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 212 0 1 1500 0711.20:02:26.255 0711.20:02:26.255 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 146 0 1 1500 0711.20:02:26.271 0711.20:02:26.271 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 101 0 1 1500 0711.20:02:26.275 0711.20:02:26.275 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 60 0 1 1500 0711.20:02:26.335 0711.20:02:26.335 29 attacker.ip.add.ress 0 27 victim.ip.add.ress 0 123 0 1 1500 Is this a "netflow thing" to show the source port/dst port as 0 or did they actually attack port 0? (or are they fragments?) thanks, - Drew _______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools
