Unknow traffic - port 0000

gtuhindhaka · ‎11-30-2008

Dear sir,

We are getting the following traffic in some of our routers. When i give "show ip cache flow" i get the following out put.

================

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Fa0 203.76.99.22 Local 172.17.54.10 01 0000 0800 1

Fa1 10.222.8.6 Local 10.222.8.94 2F 0000 0000 10

Fa1 192.168.0.36 Null 192.168.0.255 11 0089 0089 10

Fa1 192.168.0.4 Null 192.168.0.255 11 0089 0089 2

Fa1 10.222.8.90 Local 10.222.8.94 2F 0000 0000 368

Fa1 10.222.8.6 Local 10.222.8.94 2F 0000 0000 61

Fa0 172.17.50.2 Local 172.17.54.10 2F 0000 0000 301

Fa1 192.168.81.16 Null 192.168.81.255 11 0089 0089 268

Fa1 192.168.81.33 Null 192.168.81.255 11 0089 0089 3

Fa0 172.17.50.2 Local 172.17.54.10 2F 0000 0000 4543

Fa0 172.17.50.2 Local 172.17.54.10 32 0B42 7CFF 1080

============================

Could you please tell me someone what sort of traffic is these which source and destination port is 0000 and 0000.

And interestingly its happening between WAN ip addresses.

Sometime it consume hudge traffic and our link become slow.

Could you please help me.

Regards,

Tuhin

BD.

Richard Burts · ‎11-30-2008

BD

I believe that the key to understanding this is to look at the protocol field. The protocol is 2F (hex) which is 47 (decimal). Protocol 47 is GRE. And since GRE does not use the concept of source port or destination port the port fields are left as 0000.

And since it is GRE traffic it is reasonable that the source and destination addresses would be WAN ip addresses.

HTH

Rick

HTH

Rick

milan.kulik · ‎12-03-2008

Hi,

looking to the Protocol field, I see:

01 - ICMP (RFC 1340), so I guess Dst 0800 means ICMP Echo Request (Ping)

2F - GRE (RFC 1702), so no Ports used and 0 value filled.

BR,

Milan