Hi Adam��
> Port 0 flows usually result from fragmented IP datagrams. why? We consider traffic destined to port 0 as OS detection. If IP packet is fragmented, both IP header & TCP/UDP header are copied to new packets generated. Looking at his flow-print result, I think there must be some hosts affacting by virus which keep detecting other hosts' OS and try to attack at port TCP/445. > On 2/2/05 12:21 PM, "Dustin" <[EMAIL PROTECTED]> wrote: >> Hello, >> >> This may have been discussed, but I don't find any results in the archives. >> >> We are troubleshooting some performance issues, have Cisco routers, and just >> started using flow-tools to capture data. I've issued flowstat with the >> following args: >> >> flow-stat -f5 -p -S2 >> >> # port flows octets packets >> # >> 0 425 68968722 51238 >> 445 10886 51125320 372789 >> 1494 710 26667144 524757 >> 31889 1800 21081243 50199 >> 3905 101 20985596 19102 >> >> As you can see, most of the traffic is generated with lower number of >> sessions >> & packets, but w/ higher amount of data. We would like to know exactly what >> this traffic is, why is the majority of traffic lumped into "port 0"? >> >> TIA, >> >> Dustin >> >> >> _______________________________________________ >> Flow-tools mailing list >> [EMAIL PROTECTED] >> http://mailman.splintered.net/mailman/listinfo/flow-tools -- -- -- Regards Jing Shen ****************************************** * The sunshine of lifetime is made up of * * little beams which is bright all the * * time. * ****************************************** _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
