Re: Fkiws with destination port 0 and TCP SYN flag set

[Maqbool Hashim <maqbool () madbull info>]

Hi,

The destination host is sending an ACK+RST with the source port set to zero.  The destination IP is always one of the 
two hosts that are generating the SYN packets with a destination port of 0.  The destination port however is hard to 
match up to a source port in the original SYN packet due to the fact that we don't have all the packets.

It's actually going to be difficult to get the access and procedural sign off etc. to run tcpdump on the machines 
involved.  What might be easier is to set up a span port for the hosts access port on the switch and grab that via the 
collector laptop I have.

Thanks,

MH

________________________________________
From: Marcin Cieslak <saper () saper info>
Sent: 17 June 2015 10:30
To: Maqbool Hashim
Cc: nanog () nanog org
Subject: Re: Fkiws with destination port 0 and TCP SYN flag set

On Wed, 17 Jun 2015, Maqbool Hashim wrote:

> It is always the same destination servers and in normal operations
> these source and destination hosts do have a bunch of legitimate flows
> between them.  I was leaning towards it being a reporting artifact,
> but it's interesting that there are a whole set of Ack Reset packets
> from the destination hosts with a source port of 0 also.

So the destination host is sending ACK+RST with the *source* port
set to zero, or the *destination* port?

> Does this not indicate that it probably isn't a reporting artifact?

I would just tcpdump on one of the source machines to find out.

~Marcin