Fkiws with destination port 0 and TCP SYN flag set

Maqbool Hashim maqbool at madbull.info
Wed Jun 17 08:44:34 UTC 2015


Hi,



I am doing some flow analysis within our network primarily for understanding application flows to aid in network segregation activity and mainly understand what is going on inside the network.  To do this I have been using netflow where the switches/firewalls support it.  In some cases I have used a monitor port and fed full packet capture into the nfdump toolset for conversion into flows.

There is a portion of our network where the switches only support sflow which is not ideal, but hopefully will be able to gather enough data over time to be useful.  One of the things I was trying to identify was flow initiation, i.e. the client and server in the flow- so filtered for TCP packets with SYN flag set.



It was at this point that I saw TCP SYN packets with a destination port of 0.  I have seen this discussed before in this thread  http://www.gossamer-threads.com/lists/nanog/users/155141



It was stated in that thread that netflow reports source/dest port 0 for non-initial fragments.  My question was is this what I am seeing here, so any SYN packet with dest port 0 is a non-initial fragment seen by the tool?  Therefore should I always see a corresponding response with Ack and Reset flags set?  I do see a set of flows with R and A set with a source port of 0, all the dest port 0 flows have the SYN flag set, but it's hard to find ones that match a SYN packet due to only receiving a sample of flows.



Some notes on the setup:

Capture is from inside one VLAN
Switches are sending sflow back to analysis tools, sampling rate of 1/1024 packets
Using nfdump suite of tools for analysis. sfcapd as as the collector



Thinking about this, is what I am seeing a symptom of the fact that the tools don't see all packets, i.e. the tools don't see the initial fragment due to sampling.  However I still don't quite understand it appearing with the SYN flag set?



I am starting to think that for these purposes I might be better abandoning sflow and go with setting up collectors on the switches to get full flow information for my purposes.



Any clarification/input much appreciated.



Regards



MH




More information about the NANOG mailing list