Hi Thanks for the response. There are lots of different source ports all above 10,000 (e.g. 42628,42927,39050). It is always two redhat machines generating the traffic, can't be 100% sure due to the sampling but pretty sure the capture has been running for 24 hours or so. It is always the same destination servers and in normal operations these source and destination hosts do have a bunch of legitimate flows between them. I was leaning towards it being a reporting artifact, but it's interesting that there are a whole set of Ack Reset packets from the destination hosts with a source port of 0 also. Does this not indicate that it probably isn't a reporting artifact? Maybe I need to setup collectors and span ports on all the switches involved to get to the bottom of this. Just feeling like we need to look at *all* the packets not the sample! Regards, MH ________________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Roland Dobbins <rdobbins@arbor.net> Sent: 17 June 2015 10:07 To: nanog@nanog.org Subject: Re: Fkiws with destination port 0 and TCP SYN flag set On 17 Jun 2015, at 10:44, Maqbool Hashim wrote:
It was stated in that thread that netflow reports source/dest port 0 for non-initial fragments.
Fragmentation in this context only applies to UDP packets. If the destination of a TCP SYN is being reported as 0 (what's the source port?), either it's a reporting artifact of some kind or in fact a SYN destined to TCP/0 (we see this with SYN-floods, sometimes, as well as with attacks attempting to bypass ACL/firewall rules and related to compromise). ----------------------------------- Roland Dobbins <rdobbins@arbor.net>