Nikolas, This page should provide some insight: https://kb.juniper.net/InfoCenter/index?page=content&id=KB5374&actp=search
Regards, - James On 2016-10-22 14:10, Nikolaos Milas wrote: > I am trying to understand something more: > > Why ICMP 3.10 responses appear as sent to port 778 when viewing Port > Stats? > > (Note: I run the following from the nfsen GUI, but I am copying here the > nfdump produced commands.) > > When I run, for example: > > ** nfdump -M /data/nfsen/profiles-data/live/thi -T -R > 2016/10/22/nfcapd.201610221320:2016/10/22/nfcapd.201610221325 -c 500 > nfdump filter: ((ident thi) and (OUT IF 32) or (ident thi) and (IN IF > 32)) and (src ip 194.177.194.192 ) > > Date first seen Event XEvent Proto Src IP > Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst > IP Addr:Port In Byte Out Byte > 2016-10-22 13:20:56.088 INVALID Ignore ICMP 194.177.194.192:0 > -> 171.61.95.78:3.10 0.0.0.0:0 -> 0.0.0.0:0 > 72 0 > 2016-10-22 13:23:24.724 INVALID Ignore TCP 194.177.194.192:80 -> > 195.251.37.48:38723 0.0.0.0:0 -> 0.0.0.0:0 > 563 0 > 2016-10-22 13:23:43.608 INVALID Ignore ICMP 194.177.194.192:0 -> > 46.201.244.17:3.10 0.0.0.0:0 -> 0.0.0.0:0 68 0 > 2016-10-22 13:25:42.772 INVALID Ignore ICMP 194.177.194.192:0 -> > 14.177.102.25:3.10 0.0.0.0:0 -> 0.0.0.0:0 144 0 > 2016-10-22 13:26:08.640 INVALID Ignore ICMP 194.177.194.192:0 -> > 125.138.11.240:3.10 0.0.0.0:0 -> 0.0.0.0:0 > 68 0 > 2016-10-22 13:26:16.752 INVALID Ignore ICMP 194.177.194.192:0 -> > 188.254.126.174:3.10 0.0.0.0:0 -> 0.0.0.0:0 > 88 0 > 2016-10-22 13:26:08.844 INVALID Ignore ICMP 194.177.194.192:0 -> > 14.177.102.25:3.10 0.0.0.0:0 -> 0.0.0.0:0 144 0 > 2016-10-22 13:26:37.336 INVALID Ignore ICMP 194.177.194.192:0 -> > 217.160.107.42:3.10 0.0.0.0:0 -> 0.0.0.0:0 > 472 0 > 2016-10-22 13:26:52.824 INVALID Ignore ICMP 194.177.194.192:0 -> > 14.177.102.25:3.10 0.0.0.0:0 -> 0.0.0.0:0 72 0 > 2016-10-22 13:27:04.048 INVALID Ignore ICMP 194.177.194.192:0 -> > 14.177.102.25:3.10 0.0.0.0:0 -> 0.0.0.0:0 144 0 > 2016-10-22 13:28:45.960 INVALID Ignore TCP 194.177.194.192:80 -> > 140.105.70.47:42150 0.0.0.0:0 -> 0.0.0.0:0 > 563 0 > 2016-10-22 13:29:24.716 INVALID Ignore TCP 194.177.194.192:80 -> > 195.251.37.48:38844 0.0.0.0:0 -> 0.0.0.0:0 > 563 0 > 2016-10-22 13:29:40.084 INVALID Ignore ICMP 194.177.194.192:0 -> > 89.40.165.184:3.10 0.0.0.0:0 -> 0.0.0.0:0 72 0 > > Summary: total flows: 13, total bytes: 3033, total packets: 28, avg bps: > 46, avg pps: 0, avg bpp: 108 > Time window: 2016-10-22 13:14:58 - 2016-10-22 13:29:57 > Total flows processed: 34879, Blocks skipped: 0, Bytes read: 2232512 > Sys: 0.009s flows/second: 3488597.7 Wall: 0.009s flows/second: 3851479.7 > > But when I produce destination port stats (for the same time range): > > ** nfdump -M /data/nfsen/profiles-data/live/thi -T -R > 2016/10/22/nfcapd.201610221320:2016/10/22/nfcapd.201610221325 -n 50 -s > dstport/flows > nfdump filter: ((ident thi) and (OUT IF 32) or (ident thi) and (IN IF > 32)) and (src ip 194.177.194.192) > > Top 50 Dst Port ordered by flows: > Date first seen Duration Proto Dst Port Flows(%) > Packets(%) Bytes(%) pps bps bpp > 2016-10-22 13:20:56.088 523.996 any 778 10(76.9) > 13(46.4) 1344(44.3) 0 20 103 > 2016-10-22 13:28:45.960 0.136 any 42150 1( 7.7) > 5(17.9) 563(18.6) 36 33117 112 > 2016-10-22 13:29:24.716 0.012 any 38844 1( 7.7) > 5(17.9) 563(18.6) 416 375333 112 > 2016-10-22 13:23:24.724 0.012 any 38723 1( 7.7) > 5(17.9) 563(18.6) 416 375333 112 > > Summary: total flows: 13, total bytes: 3033, total packets: 28, avg bps: > 46, avg pps: 0, avg bpp: 108 > Time window: 2016-10-22 13:14:58 - 2016-10-22 13:29:57 > Total flows processed: 34879, Blocks skipped: 0, Bytes read: 2232512 > Sys: 0.009s flows/second: 3488597.7 Wall: 0.007s flows/second: 4668585.2 > > Even if I explicitly request for ICMP traffic, it still shows dst port 778: > > ** nfdump -M /data/nfsen/profiles-data/live/thi -T -R > 2016/10/22/nfcapd.201610221320:2016/10/22/nfcapd.201610221325 -n 50 -s > dstport/flows > nfdump filter: ((ident thi) and (OUT IF 32) or (ident thi) and (IN IF > 32)) and (src ip 194.177.194.192 and proto icmp) > > Top 50 Dst Port ordered by flows: > Date first seen Duration Proto Dst Port Flows(%) > Packets(%) Bytes(%) pps bps bpp > 2016-10-22 13:20:56.088 523.996 any 778 > 10(100.0) 13(100.0) 1344(100.0) 0 20 103 > > Summary: total flows: 10, total bytes: 1344, total packets: 13, avg bps: > 20, avg pps: 0, avg bpp: 103 > Time window: 2016-10-22 13:14:58 - 2016-10-22 13:29:57 > Total flows processed: 34879, Blocks skipped: 0, Bytes read: 2232512 > Sys: 0.009s flows/second: 3488597.7 Wall: 0.007s flows/second: 4793046.6 > > (I'm posting in HTML to help preserve formatting.) > > Can anyone explain this behavior? > > Thanks, > Nick > > On 22/10/2016 12:25 πμ, Nikolaos Milas wrote: > > > Thank you guys, for your prompt help. > > > > Now it makes sense! > > > > Cheers, > > Nick > > > > On 21/10/2016 10:38 μμ, Alan Whinery wrote: > > > >> Because when describing ICMP, various software have a custom of > >> co-opting the port number (since ICMP doesn't have port numbers) to show > >> the type.code of the ICMP packet. > >> 3.10 presumably means type 3, code 10, so destination unreachable, Host > >> administratively prohibited. > >> > >> https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#ICMP_datagram_structure > >> > >> > >> > >> On 10/21/2016 8:16 AM, Nikolaos Milas wrote: > >>> Hello, > >>> > >>> I am recording a number of flows of the form: > >>> > >>> Date first seen Event XEvent Proto Src IP > >>> Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP > >>> Addr:Port In Byte Out Byte > >>> 2016-10-21 20:58:51.700 INVALID Ignore ICMP 194.177.194.192:0 > >>> -> 183.7.119.26:3.10 0.0.0.0:0 -> 0.0.0.0:0 > >>> 68 0 > >>> > >>> What is the meaning of these flows please? > >>> > >>> Why source port is 0 and destination port 3.10? > >>> > >>> I cannot understand. > >>> > >>> Please help. > >>> > >>> Thanks, > >>> Nick > >>> > >>> > >>> > >>> ------------------------------------------------------------------------------ > >>> > >>> > >>> Check out the vibrant tech community on one of the world's most > >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot > >>> _______________________________________________ > >>> Nfsen-discuss mailing list > >>> [email protected] > >>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > >> > >> > >> ------------------------------------------------------------------------------ > >> > >> > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot > >> _______________________________________________ > >> Nfsen-discuss mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > >> > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Nfsen-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
