[Flow-tools] Adventures in zero-octet flows from Juniper routers

Thu, 07 Sep 2006 15:26:24 -0700 

Hey everybody,

Here's an email I wrote to some colleagues who are talking to Juniper TAC
in reference to some wacky flows we're seeing.  Sanitized for your
protection; the pcap files aren't attached and I've taken out the user IPs.

Mike

PS Tomorrow's my last day at Berkeley (wife's new job is in Atlanta), so
I won't be on the flow-tools list (unless I land in another noc :) ), good
luck and happy netflow hacking

----- Forwarded message from Mike Hunter <[EMAIL PROTECTED]> -----

I have quite a tale on the "zero octet flow" hunt.  Attached is a
packet that contains what appears to be the following flow:

#:unix_secs,unix_nsecs,sysuptime,exaddr,dpkts,doctets,first,last,engine_type,engine_id,srcaddr,dstaddr,nexthop,input,output,srcport,dstport,prot,tos,tcp_flags,src_mask,dst_mask,src_as,dst_as
1157051932,336793000,193456970,128.32.1.198,0,0,193060520,193388020,34,0,xxxxxxxxxx,yyyyyyyyyyyyy,128.32.0.58,54,56,0,2816,1,0,0,9,22,3356,25

At first I was very confused, because I found a PDU in an earlier packet
that corresponds to the flow above by matching 16 bytes of timestamp
("first" and "last").  The confusing thing is that wireshark shows non-zero
octets and packet count on that packet.  Looking back at the flow-tools
file, I happened upon the following craziness:

% flow-export -f 2 < ft-v05.2006-08-31.120000-0700 | grep xxxxxxxxxx | grep 
193388020
1157051892,828496000,193417470,128.32.1.198,21,1176,193060520,193388020,34,0,xxxxxxxxxx,yyyyyyyyyyyyy,128.32.0.58,54,56,0,2816,1,0,0,9,22,3356,25
1157051932,336793000,193456970,128.32.1.198,0,0,193060520,193388020,34,0,xxxxxxxxxx,yyyyyyyyyyyyy,128.32.0.58,54,56,0,2816,1,0,0,9,22,3356,25

What that is is the same flow twice, down to the millisecond, one with
non-zero bytes and octets and one with zero.  I finally found the
corresponding zero-byte flow in the trace file.  I've attached two
packets, one is the "fake" zero octet flow, the next one is the "real"
one.

And now, a haiku:

netflow ghost packet
follows a sane PDU
evil impostor

Mike

----- End forwarded message -----
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to