Wireshark-users: [Wireshark-users] Capture Problem (udp port 0)
Hi All,
It’s been a while since I’ve followed this list, but I’ve checked the archives and have only found things that I’ve already tried.
I’ve come across a problem that I’m trying to narrow down. Allow me to explain:
We are supposed to have an Intrusion Protection System which, as part of many things, blocks UDP/0 traffic.
However, inside our network I am seeing traffic that appears to come from the outside, crossing our IPS, that has both source and destination on port UDP/0. The tools with which I have seen this type of traffic is via matches on an IP access list with Cisco IOS and through a Netflow collector application.
However, when I attach a sniffer running Wireshark (both under Windows and Linux) to a span (mirror) port on a Cisco switch for where the traffic should be going through to reach it’s destination (according to the Netflow application) I don’t appear to capture any of the traffic that is being identified.
My monitor session configuration looks like:
monitor session 1 source interface Gi0/1 monitor session 1 destination interface Gi0/3 encapsulation replicate
I have also tried:
monitor session 1 source interface Gi0/1 monitor session 1 destination interface Gi0/3
Gi0/1 connects to the router from which Netflow data is being collected. Gi00/3 is where Wireshark is connected.
With Wireshark I have tried the following capture filters (it’s not feasible to capture all the traffic on this port)
vdp port 0 vlan and udp port 0
I just don’t seem to see any of the traffic that is being reported by the netflow collector or the Cisco IOS access-list matches, these appear as so:
Extended IP access list 101 (Compiled) 5 permit udp any any eq 0 (18422 matches)
I realise that as it is UDP traffic that it is possible that the traffic is spoofed and one might think that it could be coming from a different interface, but Netflow records the ingress and egress ports of the traffic and I should be seeing something in Wireshark… but I am not… L
Does anyone have any ideas?
My apologies for not lurking longer on the list before posting.
Giles |
- Prev by Date: Re: [Wireshark-users] fragmented IP packets
- Next by Date: Re: [Wireshark-users] fragmented IP packets
- Previous by thread: Re: [Wireshark-users] fragmented IP packets
- Next by thread: Re: [Wireshark-users] How to view rf5 files
- Index(es):
- Get Wireshark
- Download
- Code of Conduct