Replies: 1 comment 1 reply
-
|
Hmm .. difficult to tell. Nfdump only displays, what it gets from the exporter. Whether the packet is fragmented or if the ports are simply set to 0 could only be distinguished when looking at the DF flag in the IP header. nfpcapd set this flag, but most likely sfcapd does not. I need to check, if this could be added. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you Peter! Isn't the 'Fragment Offset' being zero or not the distinguisher of whether the ports are genuinely 0, vs whether the port information is missing? If so, if the 'Fragment Offset' in a received sflow export is not zero, then perhaps sfcapd should omit writing any src & dst port information out to the flow file? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
We collect data from our routers/switches with sflow. Sometimes TCP or UDP packets with src and dst port both set to 0 occur, and as far as I can currently see, these are indistinguishable from non-initial fragments in nfdump records.
Am I missing something? If not, is there any way to improve this situation, as when analysing e.g. DoS traffic, being able to distinguish between src&dst port 0, vs fragments, is very useful.
Beta Was this translation helpful? Give feedback.
All reactions