Hi, I frequently spot high peaks in UDP flows, that after analysis appear a scanning (or DoS?) from one host to another one. See example below, where I reported only 10 lines, but there are hundredths: same source port but different dst port. My question is: what is the meaning of the fact that there are always N packets and N flows? Since my routers do 1/1000 sampling, my take is that the source host is continuously changing the dst port, sending one (or few) packets before changing port. Periodically, the same dst port is reused. But since the inactive tout in the routers is 60s, a flow of one packet is reported each time, before the port gets used again. Does it make sense? Has anybody observed something similar? cheers, Maurizio
Top 10 flows ordered by flows: Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes Flows 2007-05-30 13:08:17.692 706.187 0 XX.YY.2.6:41670 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> -> ZZ.WW.76.243:45153 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> ...... 0 5 145 5 2007-05-30 13:06:21.496 722.075 0 XX.YY.2.6:41670 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> -> ZZ.WW.76.243:51444 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> ...... 0 5 145 5 2007-05-30 13:04:30.287 887.982 0 XX.YY.2.6:41670 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> -> ZZ.WW.76.243:55997 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> ...... 0 5 145 5 2007-05-30 13:05:24.853 801.025 0 XX.YY.2.6:41670 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> -> ZZ.WW.76.243:19642 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> ...... 0 4 116 4 2007-05-30 13:06:46.696 654.901 0 XX.YY.2.6:41670 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> -> ZZ.WW.76.243:46144 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> ...... 0 4 116 4 2007-05-30 13:05:38.273 893.242 0 XX.YY.2.6:41670 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> -> ZZ.WW.76.243:33130 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> ...... 0 4 116 4 2007-05-30 13:08:00.692 625.157 0 XX.YY.2.6:41670 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> -> ZZ.WW.76.243:13425 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> ...... 0 4 116 4 2007-05-30 13:04:32.277 377.831 0 XX.YY.2.6:41670 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> -> ZZ.WW.76.243:26828 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> ...... 0 4 116 4 2007-05-30 13:04:45.951 974.033 0 XX.YY.2.6:41670 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> -> ZZ.WW.76.243:60047 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> ...... 0 4 116 4 2007-05-30 13:05:04.668 617.236 0 XX.YY.2.6:41670 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> -> ZZ.WW.76.243:13678 <http://62.40.115.20:8090/nfsen-snapshot-20070312/nfsen.php#null> ...... 0 4 116 4 -- ______________________________________________________________________ Maurizio Molina Network Engineer DANTE - www.dante.net Tel: +44 (0)1223 371 300 Fax: +44 (0)1223 371 371 Email: [EMAIL PROTECTED] PGP Key ID: 3FF58D51 City House, 126-130 Hills Road Cambridge CB2 1PQ UK _____________________________________________________________________ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
