We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: [Wireshark-users] Capture Problem (udp port 0)

From: "Giles Coochey" <gcoochey@xxxxxxxxxxx>
Date: Wed, 19 Sep 2007 16:06:50 +0200

Hi All,


It’s been a while since I’ve followed this list, but I’ve checked the archives and have only found things that I’ve already tried.


I’ve come across a problem that I’m trying to narrow down. Allow me to explain:


We are supposed to have an Intrusion Protection System which, as part of many things, blocks UDP/0 traffic.


However, inside our network I am seeing traffic that appears to come from the outside, crossing our IPS, that has both source and destination on port UDP/0. The tools with which I have seen this type of traffic is via matches on an IP access list with Cisco IOS and through a Netflow collector application.


However, when I attach a sniffer running Wireshark (both under Windows and Linux) to a span (mirror) port on a Cisco switch for where the traffic should be going through to reach it’s destination (according to the Netflow application) I don’t appear to capture any of the traffic that is being identified.


My monitor session configuration looks like:


monitor session 1 source interface Gi0/1

monitor session 1 destination interface Gi0/3 encapsulation replicate


I have also tried:


monitor session 1 source interface Gi0/1

monitor session 1 destination interface Gi0/3


Gi0/1 connects to the router from which Netflow data is being collected.

Gi00/3 is where Wireshark is connected.


With Wireshark I have tried the following capture filters (it’s not feasible to capture all the traffic on this port)


vdp port 0

vlan and udp port 0


I just don’t seem to see any of the traffic that is being reported by the netflow collector or the Cisco IOS access-list matches, these appear as so:


Extended IP access list 101 (Compiled)

    5 permit udp any any eq 0 (18422 matches)


I realise that as it is UDP traffic that it is possible that the traffic is spoofed and one might think that it could be coming from a different interface, but Netflow records the ingress and egress ports of the traffic and I should be seeing something in Wireshark… but I am not… L


Does anyone have any ideas?


My apologies for not lurking longer on the list before posting.