Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
0
Helpful
3
Replies

0 Bytes packets seen on pix.

anand_prakash1
Level 1
Level 1

‎02-05-2006 09:11 PM - edited ‎02-21-2020 12:41 AM

I am seeing lot of 0 Bytes packets in 'Show connections" output of the pix.

Servers behind pix are internet web servers and firewall is internet firewall.

I belive 0 Bytes packets are threat, but not sure whether the packets are sent by the servers to the outside world or it is recieveing these 0 Bytes packets.

Few lines of "show conn | inc Bytes "

ntf01# sh conn | inc Bytes 0

TCP out 148.104.5.2:10714 in x.x.171.166:80 idle 0:04:30 Bytes 0 flags U

TCP out 64.8.58.90:12419 in x.x.171.166:80 idle 0:34:02 Bytes 0 flags U

TCP out 71.98.79.104:61346 in x.x.171.166:80 idle 0:14:24 Bytes 0 flags U

TCP out 64.8.58.90:12239 in x.x.171.166:80 idle 0:33:12 Bytes 0 flags U

TCP out 208.141.82.4:15729 in x.x.171.167:80 idle 0:23:35 Bytes 0 flags UB

TCP out 128.122.92.235:1343 in x.x.171.166:80 idle 0:01:58 Bytes 0 flags aB

TCP out 209.208.224.72:25 in x.x.133.178:3032 idle 0:01:26 Bytes 0 flags saA

TCP out 172.16.1.170:5024 in x.x.133.254:9369 idle 0:01:49 Bytes 0 flags saA

0 Helpful
3 Replies 3

pkhatri
Level 11
Level 11

‎02-05-2006 09:32 PM

HI Anand,

Connections that are initiated from the outside will be displayed with a "B" flag. In the output you have given, only two of the connections have the B flag. The rest of them have been initiated from your inside hosts.

Hope that helps - pls rate the post if it does.

Paresh

0 Helpful

anand_prakash1
Level 1
Level 1
In response to pkhatri

‎02-06-2006 01:48 AM

Hi Paresh,

I run capture on the interface on which servers showing U flag are connected, but the capture shows the first SYN from outside host.There are no initial SYN seen on firewall interface from server.

0 Helpful

rsommer
Level 1
Level 1

‎02-06-2006 02:04 PM

That doesn't indicate 0 byte packets - which would be impossible. It does indicate how many bytes have been transferred over that established (or even "un-established" saA) connection. Get used to understanding the direction of your traffic (see link below).

I also recommend you get familiar with syslog - instead of using the cli to analyze connections - as it can be frustrating trying to keep track of those that open and close often and quickly.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1187542

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card