nanog mailing list archives

Re: Fkiws with destination port 0 and TCP SYN flag set

From: Marcin Cieslak <saper () saper info>
Date: Wed, 17 Jun 2015 09:30:47 +0000

On Wed, 17 Jun 2015, Maqbool Hashim wrote:

It is always the same destination servers and in normal operations
these source and destination hosts do have a bunch of legitimate flows
between them.  I was leaning towards it being a reporting artifact,
but it's interesting that there are a whole set of Ack Reset packets
from the destination hosts with a source port of 0 also.


So the destination host is sending ACK+RST with the *source* port
set to zero, or the *destination* port?

Does this not indicate that it probably isn't a reporting artifact?


I would just tcpdump on one of the source machines to find out.

~Marcin

Current thread:

Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
- Re: Fkiws with destination port 0 and TCP SYN flag set Roland Dobbins (Jun 17)
  - Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
    - Re: Fkiws with destination port 0 and TCP SYN flag set Marcin Cieslak (Jun 17)
    - Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
    - Re: Fkiws with destination port 0 and TCP SYN flag set Pavel Odintsov (Jun 17)
    - Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
    - Re: Fkiws with destination port 0 and TCP SYN flag set Pavel Odintsov (Jun 17)
    - Re: Fkiws with destination port 0 and TCP SYN flag set Roland Dobbins (Jun 17)
    - Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
    - Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)
    - Re: Fkiws with destination port 0 and TCP SYN flag set Roland Dobbins (Jun 17)
    - Re: Fkiws with destination port 0 and TCP SYN flag set Mark Milhollan (Jun 17)
    - Re: Fkiws with destination port 0 and TCP SYN flag set Maqbool Hashim (Jun 17)

(Thread continues...)