It’s been a while since I’ve followed this list,
but I’ve checked the archives and have only found things that I’ve
I’ve come across a problem that I’m trying to
narrow down. Allow me to explain:
We are supposed to have an Intrusion Protection System which,
as part of many things, blocks UDP/0 traffic.
However, inside our network I am seeing traffic that appears
to come from the outside, crossing our IPS, that has both source and
destination on port UDP/0. The tools with which I have seen this type of
traffic is via matches on an IP access list with Cisco IOS and through a
Netflow collector application.
However, when I attach a sniffer running Wireshark (both
under Windows and Linux) to a span (mirror) port on a Cisco switch for where
the traffic should be going through to reach it’s destination (according
to the Netflow application) I don’t appear to capture any of the traffic
that is being identified.
Gi0/1 connects to the router from which Netflow data is
Gi00/3 is where Wireshark is connected.
With Wireshark I have tried the following capture filters
(it’s not feasible to capture all the traffic on this port)
vdp port 0
vlan and udp port 0
I just don’t seem to see any of the traffic that is
being reported by the netflow collector or the Cisco IOS access-list matches,
these appear as so:
access list 101 (Compiled)
5 permit udp any any eq 0 (18422 matches)
I realise that as it is UDP traffic that it is possible that
the traffic is spoofed and one might think that it could be coming from a
different interface, but Netflow records the ingress and egress ports of the
traffic and I should be seeing something in Wireshark… but I am not…
Does anyone have any ideas?
My apologies for not lurking longer on the list before