If the port number is random, try looking at the port number for the other port. ie Destination port. Your 1st and 2nd reports look identical to me - the converse one would be more interesting. Does the other end destination IP address vary?
You can identify p2p traffic by many flows on p2p-ish ports, eg many flows on 6346, 6347, 6348 etc. To investigate an interesting internal client, I normally look to see what *destination* ports traffic coming *from* it has. Craig Macdonald [EMAIL PROTECTED] On Fri, 10 Sep 2004, Michael Bellears wrote: > We have a DSL client who occasionally(2 Days a month) has 4G worth of > downloads. > > Looking at the traffic for the affected days, I am seeing the > following... > > Port is always random: > > ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | > ./flow-filter -f netflow_acls/minter_palm_beach.acl -D subnet | > ./flow-stat -f6 -S2|more # --- ---- ---- Report Information --- --- --- > # > # Fields: Total > # Symbols: Disabled > # Sorting: Descending Field 2 > # Name: UDP/TCP source port > # > # Args: ./flow-stat -f6 -S2 > # > # > # port flows octets packets > # > 3233 2 4294967446 3 > > 80 180 784671 1364 > > Flows + Packets are always very minimal, but Octets large: > > # ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | > ./flow-filter -f netflow_acls/minter_palm_beach.acl -D subnet| > ./flow-stat -f6 -S2|more # --- ---- ---- Report Information --- --- --- > # > # Fields: Total > # Symbols: Disabled > # Sorting: Descending Field 2 > # Name: UDP/TCP source port > # > # Args: ./flow-stat -f6 -S2 > # > # > # port flows octets packets > # > 3233 2 4294967446 3 > > 80 180 784671 1364 > > Always protocol 6: > > ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | > ./flow-filter -f netflow_acls/minter_palm_beach.acl -D subnet| > ./flow-stat -f12|more # --- ---- ---- Report Information --- --- --- # > # Fields: Total > # Symbols: Disabled > # Sorting: None > # Name: IP protocol > # > # Args: ./flow-stat -f12 > # > # > # protocol flows octets packets > # > 50 1 1152 8 > > 17 282 101586 325 > > 6 1746 4296584503 6246 > > 1 75 4514 83 > > Always from single IP: (This IP is different evertime): > > # ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | > ./flow-stat -f10 -S3 |grep 203.149.69.54|more > 66.183.10.168 203.149.69.54 2 4294967446 > 3 > > Anyone have any idea what could cause this type of traffic? > > Regards, > MB > > _______________________________________________ > Flow-tools mailing list > [EMAIL PROTECTED] > http://mailman.splintered.net/mailman/listinfo/flow-tools > _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
