Re: [Nfsen-discuss] Strange ICMP flows

Nikolaos Milas Sat, 22 Oct 2016 04:13:03 -0700

I am trying to understand something more:

    Why ICMP 3.10 responses appear as sent to port 778 when viewing Port
    Stats?


(Note: I run the following from the nfsen GUI, but I am copying here the 
nfdump produced commands.)

When I run, for example:

** nfdump -M /data/nfsen/profiles-data/live/thi -T  -R 
2016/10/22/nfcapd.201610221320:2016/10/22/nfcapd.201610221325 -c 500
nfdump filter: ((ident thi) and (OUT IF 32) or (ident thi) and (IN IF 
32)) and (src ip 194.177.194.192 )

Date first seen          Event  XEvent Proto      Src IP 
Addr:Port          Dst IP Addr:Port     X-Src IP Addr:Port        X-Dst 
IP Addr:Port   In Byte Out Byte
2016-10-22 13:20:56.088 INVALID  Ignore ICMP 194.177.194.192:0     
->     171.61.95.78:3.10 0.0.0.0:0     ->          0.0.0.0:0           
72        0
2016-10-22 13:23:24.724 INVALID  Ignore TCP 194.177.194.192:80    ->    
195.251.37.48:38723 0.0.0.0:0     ->          0.0.0.0:0          
563        0
2016-10-22 13:23:43.608 INVALID  Ignore ICMP 194.177.194.192:0     ->    
46.201.244.17:3.10 0.0.0.0:0     ->          0.0.0.0:0           68        0
2016-10-22 13:25:42.772 INVALID  Ignore ICMP 194.177.194.192:0     ->    
14.177.102.25:3.10 0.0.0.0:0     ->          0.0.0.0:0          144        0
2016-10-22 13:26:08.640 INVALID  Ignore ICMP 194.177.194.192:0     ->   
125.138.11.240:3.10 0.0.0.0:0     ->          0.0.0.0:0           
68        0
2016-10-22 13:26:16.752 INVALID  Ignore ICMP 194.177.194.192:0     ->  
188.254.126.174:3.10 0.0.0.0:0     ->          0.0.0.0:0           
88        0
2016-10-22 13:26:08.844 INVALID  Ignore ICMP 194.177.194.192:0     ->    
14.177.102.25:3.10 0.0.0.0:0     ->          0.0.0.0:0          144        0
2016-10-22 13:26:37.336 INVALID  Ignore ICMP 194.177.194.192:0     ->   
217.160.107.42:3.10 0.0.0.0:0     ->          0.0.0.0:0          
472        0
2016-10-22 13:26:52.824 INVALID  Ignore ICMP 194.177.194.192:0     ->    
14.177.102.25:3.10 0.0.0.0:0     ->          0.0.0.0:0           72        0
2016-10-22 13:27:04.048 INVALID  Ignore ICMP 194.177.194.192:0     ->    
14.177.102.25:3.10 0.0.0.0:0     ->          0.0.0.0:0          144        0
2016-10-22 13:28:45.960 INVALID  Ignore TCP 194.177.194.192:80    ->    
140.105.70.47:42150 0.0.0.0:0     ->          0.0.0.0:0          
563        0
2016-10-22 13:29:24.716 INVALID  Ignore TCP 194.177.194.192:80    ->    
195.251.37.48:38844 0.0.0.0:0     ->          0.0.0.0:0          
563        0
2016-10-22 13:29:40.084 INVALID  Ignore ICMP 194.177.194.192:0     ->    
89.40.165.184:3.10 0.0.0.0:0     ->          0.0.0.0:0           72        0

Summary: total flows: 13, total bytes: 3033, total packets: 28, avg bps: 
46, avg pps: 0, avg bpp: 108
Time window: 2016-10-22 13:14:58 - 2016-10-22 13:29:57
Total flows processed: 34879, Blocks skipped: 0, Bytes read: 2232512
Sys: 0.009s flows/second: 3488597.7  Wall: 0.009s flows/second: 3851479.7

But when I produce destination port stats (for the same time range):

** nfdump -M /data/nfsen/profiles-data/live/thi -T  -R 
2016/10/22/nfcapd.201610221320:2016/10/22/nfcapd.201610221325 -n 50 -s 
dstport/flows
nfdump filter: ((ident thi) and (OUT IF 32) or (ident thi) and (IN IF 
32)) and (src ip 194.177.194.192)

Top 50 Dst Port ordered by flows:
Date first seen          Duration Proto          Dst Port Flows(%)     
Packets(%)       Bytes(%)         pps      bps   bpp
2016-10-22 13:20:56.088   523.996 any                 778 10(76.9)       
13(46.4)     1344(44.3)        0       20   103
2016-10-22 13:28:45.960     0.136 any               42150 1( 7.7)        
5(17.9)      563(18.6)       36    33117   112
2016-10-22 13:29:24.716     0.012 any               38844 1( 7.7)        
5(17.9)      563(18.6)      416   375333   112
2016-10-22 13:23:24.724     0.012 any               38723 1( 7.7)        
5(17.9)      563(18.6)      416   375333   112

Summary: total flows: 13, total bytes: 3033, total packets: 28, avg bps: 
46, avg pps: 0, avg bpp: 108
Time window: 2016-10-22 13:14:58 - 2016-10-22 13:29:57
Total flows processed: 34879, Blocks skipped: 0, Bytes read: 2232512
Sys: 0.009s flows/second: 3488597.7  Wall: 0.007s flows/second: 4668585.2

Even if I explicitly request for ICMP traffic, it still shows dst port 778:

** nfdump -M /data/nfsen/profiles-data/live/thi -T  -R 
2016/10/22/nfcapd.201610221320:2016/10/22/nfcapd.201610221325 -n 50 -s 
dstport/flows
nfdump filter: ((ident thi) and (OUT IF 32) or (ident thi) and (IN IF 
32)) and (src ip 194.177.194.192 and proto icmp)

Top 50 Dst Port ordered by flows:
Date first seen          Duration Proto          Dst Port Flows(%)      
Packets(%)        Bytes(%)          pps      bps bpp
2016-10-22 13:20:56.088   523.996 any                 778 
10(100.0)       13(100.0)     1344(100.0)        0       20   103

Summary: total flows: 10, total bytes: 1344, total packets: 13, avg bps: 
20, avg pps: 0, avg bpp: 103
Time window: 2016-10-22 13:14:58 - 2016-10-22 13:29:57
Total flows processed: 34879, Blocks skipped: 0, Bytes read: 2232512
Sys: 0.009s flows/second: 3488597.7  Wall: 0.007s flows/second: 4793046.6

(I'm posting in HTML to help preserve formatting.)

Can anyone explain this behavior?

Thanks,
Nick

On 22/10/2016 12:25 πμ, Nikolaos Milas wrote:

> Thank you guys, for your prompt help.
>
> Now it makes sense!
>
> Cheers,
> Nick
>
> On 21/10/2016 10:38 μμ, Alan Whinery wrote:
>
>> Because when describing ICMP, various software have a custom of
>> co-opting the port number (since ICMP doesn't have port numbers) to show
>> the type.code of the ICMP packet.
>> 3.10 presumably means type 3, code 10, so destination unreachable, Host
>> administratively prohibited.
>>
>> https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#ICMP_datagram_structure
>>  
>>
>>
>> On 10/21/2016 8:16 AM, Nikolaos Milas wrote:
>>> Hello,
>>>
>>> I am recording a number of flows of the form:
>>>
>>> Date first seen          Event  XEvent Proto      Src IP
>>> Addr:Port          Dst IP Addr:Port     X-Src IP Addr:Port X-Dst IP
>>> Addr:Port   In Byte Out Byte
>>> 2016-10-21 20:58:51.700 INVALID  Ignore ICMP 194.177.194.192:0
>>> ->     183.7.119.26:3.10 0.0.0.0:0 ->          0.0.0.0:0
>>> 68        0
>>>
>>> What is the meaning of these flows please?
>>>
>>> Why source port is 0 and destination port 3.10?
>>>
>>> I cannot understand.
>>>
>>> Please help.
>>>
>>> Thanks,
>>> Nick
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>  
>>>
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Nfsen-discuss mailing list
>>> Nfsen-discuss@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>
>>
>> ------------------------------------------------------------------------------
>>  
>>
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Nfsen-discuss mailing list
>> Nfsen-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Re: [Nfsen-discuss] Strange ICMP flows

Reply via email to