PaulDotCom mailing list archives
TCP protocol decimal type 210
From: dale at puredistortion.com (Dale Stirling)
Date: Tue, 23 Jun 2009 09:01:05 +1000
Sorry I have not been very clear. Jim is correct it is the protocol type that I am talking about and not the port that is where the traffic is. Also the traffic is all inbound to the server. I am yet to catch the traffic in a packet capture as the client noticed usage and all I had as a space of data history was our Netflow data so I have pulled apart this as much as I can and found this traffic running with the IP protocol type defined as 210. Since my first email i did a comparison using flow-nfilter and flow-stat on the Netflow data that we have and found that there were an identical amount of packets between this data and UDP type traffic. also all of the traffic is on one port. The flow-stat summaries are bellow. IP protocol type report: # --- ---- ---- Report Information --- --- --- # # Fields: Total # Symbols: Disabled # Sorting: Descending Field 3 # Name: IP protocol # # Args: flow-stat -f12 -S3 # # # protocol flows octets packets # 210 1 3832009226 1864449664 17 1 828887562 1864449664 UDP traffic by port report: # --- ---- ---- Report Information --- --- --- # # Fields: Total # Symbols: Disabled # Sorting: Descending Field 3 # Name: UDP/TCP destination port # # Args: flow-stat -f5 -S3 # # # port flows octets packets # 56602 1 828887562 1864449664 That is the update I know it would be best to have pcap of the data but at this time I have been unable to see this occuring again and have monitoring on my Netflow data to notify me of this traffic occuring again. Also I have checked the process tree and also log file looking for events of interest, but at this time I have not been able to fine any Events of Interest or processes that do not bellong. Any advice would be great? I amy just have to fire wall it with our clients permission and see what happens? Dale Which I looking on On Mon, Jun 22, 2009 at 8:26 PM, Jim Halfpenny <jim.halfpenny at gmail.com>wrote:
I looked at this first, but then thought that Dale was referring to the IP protocol type defined the the IP packet header and not the 210/8 IPv4 network. Perhaps Dale can clarify? Jim 2009/6/22 Michael McGrew <mmcgrew1 at mail.csuchico.edu> 210. seems allocated to me.http://www.iana.org/assignments/ipv4-address-space/ lists it as allocated. Proven by some nmap pings, nmap -sP -vvvv 210.214.208.0/24 Host segment-210-214-208-249.maa.sify.net (210.214.208.249) is up (0.27s latency). Host segment-210-214-208-250.maa.sify.net (210.214.208.250) is up (0.27s latency). So there are some boxes out there on 210. If you don't mind, what is the full IP? Can you do some more research and find out what port it's using? Or run some tcpdump against it. On Sun, Jun 21, 2009 at 10:33 PM, Dale Stirling<dale at puredistortion.com> wrote:Hi All, I have a box that is routinely using in excess of 4GB a day in trafficinfrom the internet. I have identified that the traffic is coming to the box via an IPProtocolnumber I have never seen before: 210. I have done some searching on the Internet and have only been able tofindthat this number is in the unassigned block of protocol numbers withIANA. Iam stuck so I thought I would through it out to the smartest group ofpeopleI know the PDC Mailing (I heard flatery works well) list to see if anyonehas seen this before. Cheers, Dale _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090623/71699b50/attachment.htm
Current thread:
- TCP protocol decimal type 210 Dale Stirling (Jun 21)
- TCP protocol decimal type 210 Jim Halfpenny (Jun 22)
- TCP protocol decimal type 210 Robin Wood (Jun 22)
- TCP protocol decimal type 210 Michael McGrew (Jun 22)
- TCP protocol decimal type 210 Jim Halfpenny (Jun 22)
- TCP protocol decimal type 210 Dale Stirling (Jun 22)
- TCP protocol decimal type 210 Jim Halfpenny (Jun 22)