On 17 Jun 2015, at 10:44, Maqbool Hashim wrote:
It was stated in that thread that netflow reports source/dest port 0
for non-initial fragments.
Fragmentation in this context only applies to UDP packets.
If the destination of a TCP SYN is being reported as 0 (what's the
source port?), either it's a reporting artifact of some kind or in fact
a SYN destined to TCP/0 (we see this with SYN-floods, sometimes, as well
as with attacks attempting to bypass ACL/firewall rules and related to
compromise).
-----------------------------------
Roland Dobbins <[email protected]>
