Re: Null Traffic in sh ip cache flow

irshad.saifi · ‎02-14-2005

Hi,

When i am trying to show ip cache flow in my router.

It is showing a lot of Null traffic from internal and external ip's.

What is Null traffic, does this traffic considered as a virus affected traffic.

Thanks

mark.mcsherry · ‎02-14-2005

Hello,

I've checked on my router here and I can't see what you mean.

Do you mean that you're seeing the destination as Null0?

In this case, you might have policy routing or similar configured to route certain traffic to Null0.

If you could paste a bit of the output, highlighting the issue it would help a bit,

Cheers,

Mark

irshad.saifi · ‎02-14-2005

Hi Mark,

Thanks for the answer..

Yeah the destination is Null..

PFA some output...

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Vl232 172.16.232.99 Null 172.16.232.255 11 008A 008A 1

Vl232 207.46.156.188 Null 172.16.89.50 06 0050 08EB 3

Vl88 172.16.88.121 Null 217.20.115.147 06 0BA8 1A0B 3

Vl90 172.16.90.163 Null 63.246.146.121 06 11F0 0FA0 2

Vl90 172.16.90.163 Null 63.246.146.121 06 11EE 0FA0 2

Vl91 172.16.91.116 Null 172.40.40.16 11 0089 0089 3

Vl89 172.16.89.110 Null 172.16.89.255 11 0089 0089 60

Vl89 172.16.89.50 Null 172.16.89.255 11 1D4C 1D4C 1

Vl89 172.16.89.43 Null 63.246.146.121 06 0472 0FA0 2

Vl88 172.16.88.235 Null 217.20.115.147 06 0F67 1A0B 2

Vl89 172.16.89.22 Null 172.16.89.255 11 0089 0089 1

Vl88 172.16.88.235 Null 217.20.115.147 06 0F64 1A0B 3

Vl89 172.16.89.43 Null 63.246.146.121 06 047B 0FA0 1

Vl89 172.16.89.51 Null 230.0.0.2 11 0000 0000 938

Vl89 172.16.89.43 Null 63.246.146.121 06 0479 0FA0 2

Pls let me know about it if possible on the earliest.

Thanks

marikakis · ‎02-14-2005

Null0 is a logical interface.

Traffic destined to it is discarded by the router.

You probably have ACLs in place that deny the particular IPs.

(Or static routes to Null0.)

M.

konigl · ‎02-15-2005

In the following, I assume you're using a 255.255.255.0 subnet mask on the subnets…

Think of destination interface Null0 as the "black hole" for network traffic on a router: traffic goes in, but it doesn't come out. It just disappears. So throw anything you don’t want, into that interface.

Some of the traffic flows you sampled are just background broadcast noise on the attached interfaces. Specifically, Microsoft Networking clients broadcasting periodically on their respective subnets. Note the destination IPs ending in .255; and protocol 11 in hexadecimal, or 17 in decimal, which is UDP; and source port and destination port 0089 hex (137 decimal) or 008A hex (138 decimal) on the subnet. The router hears these broadcasts, but if there's no "IP helper-address" on the router interface (or if there is, but "no ip forward-protocol udp" commands are elsewhere in the router config to keep NETBIOS broadcasts from propagating outside each subnet) then the router does not forward them.

There's another UDP broadcast listed on your VLAN 89going to port 7500 decimal (1D4C hex). Not sure what that service is; but since it's a UDP broadcast and “IP helper-address” probably isn't set up to pass it outside of the local subnet, it gets dumped into Null0.

Two different hosts on your VLAN 88 (hosts 172.16.88.121 and .235) are both trying to access TCP port 6667 decimal (1A0B hex) on destination IP address 217.20.115.147. Most likely an ACL is blocking access to that service, whatever it is. This blocking could appear as sending traffic to destination Null0.

Similarly, two hosts on neighboring subnets, 172.16.89.43 and 172.16.90.163, are both trying to access TCP port 4000 decimal (0FA0 hex) on destination IP address 63.246.146.121. Most likely an ACL is blocking access to that service too, whatever it is. Again, the denied traffic is disposed of by sending it to Null0.

On your VLAN 91, I’m guessing here: it looks like either there is an “IP helper-address” pointing to host 172.40.40.16 (address ends in an even number, not odd, so it’s not a broadcast) but maybe a “no ip forward-protocol udp” command is blocking forwarding of UDP port 137 traffic; or, there’s an ACL blocking that kind of traffic from your VLAN 91 host (172.16.91.116) to that destination IP address on that UDP port number. This kind of ACL might be in place to protect against worm- or virus-infected computers from finding UDP 137 hosts that they might be able to compromise. Or maybe it’s a probe of an IP address or subnet that doesn’t exist on your network, and got dumped to Null0.

Looks like VLAN 232 had some HTTP traffic blocked (TCP port 80 decimal, 0050 hex), probably by an ACL.

And IP multicast routing is possibly not enabled on your network, because that one strange-looking IP destination address, 230.0.0.2, is not a Class A, B, or C network number: it’s Class D (224.*.*.* to 239.*.*.*) which is for IP Multicast.

Let me know if any of this makes sense to you. (It's late here, and I'm rambling.)

irshad.saifi · ‎02-16-2005

Thanks a lot for this wonderful explanation to me.

Yes it make sense.

So what i understand from your explanation is that most of my traffic is blocking by ACL yes i have implemented that eq.for 137 etc. and it's sending that traffic to Null0.

One thing here, I had seen a lot of traffic from one or two hosts when i run the sniffer i found that it was sending the traffic towards 135 port which was degrading the performance of my network.

After blocking this port for specific pc's and scanned those pc's the network traffic becomes normalize.

As per the cisco documentation netflow can tell us the port number also but it doesn't.

So basically the Null interface is nothing but only an interface where unwanted traffic goes..

Thanks again..