Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] Capture Problem (udp port 0)

From: "Giles Coochey" <gcoochey@xxxxxxxxxxx>
Date: Wed, 19 Sep 2007 16:06:50 +0200

Hi All,

 

It’s been a while since I’ve followed this list, but I’ve checked the archives and have only found things that I’ve already tried.

 

I’ve come across a problem that I’m trying to narrow down. Allow me to explain:

 

We are supposed to have an Intrusion Protection System which, as part of many things, blocks UDP/0 traffic.

 

However, inside our network I am seeing traffic that appears to come from the outside, crossing our IPS, that has both source and destination on port UDP/0. The tools with which I have seen this type of traffic is via matches on an IP access list with Cisco IOS and through a Netflow collector application.

 

However, when I attach a sniffer running Wireshark (both under Windows and Linux) to a span (mirror) port on a Cisco switch for where the traffic should be going through to reach it’s destination (according to the Netflow application) I don’t appear to capture any of the traffic that is being identified.

 

My monitor session configuration looks like:

 

monitor session 1 source interface Gi0/1

monitor session 1 destination interface Gi0/3 encapsulation replicate

 

I have also tried:

 

monitor session 1 source interface Gi0/1

monitor session 1 destination interface Gi0/3

 

Gi0/1 connects to the router from which Netflow data is being collected.

Gi00/3 is where Wireshark is connected.

 

With Wireshark I have tried the following capture filters (it’s not feasible to capture all the traffic on this port)

 

vdp port 0

vlan and udp port 0

 

I just don’t seem to see any of the traffic that is being reported by the netflow collector or the Cisco IOS access-list matches, these appear as so:

 

Extended IP access list 101 (Compiled)

    5 permit udp any any eq 0 (18422 matches)

 

I realise that as it is UDP traffic that it is possible that the traffic is spoofed and one might think that it could be coming from a different interface, but Netflow records the ingress and egress ports of the traffic and I should be seeing something in Wireshark… but I am not… L

 

Does anyone have any ideas?

 

My apologies for not lurking longer on the list before posting.

 

Giles