What does a zero source port number indicate? Can Netflow tell about something a connection that is not TCP or UDP?
Thanks.
Netflow packet includes zero port numbers
netflow
Related Topic
- How useful is the sysUptime value in a Netflow packet
- Linux – How to generate netflow data in linux
- Linux – iptables+iptables_netflow: iptables blocking netflow export
- Netflow to syslog converter
- MikroTik – Traffic flow (Netflow) Octets Counter wrap
- Monitoring traffic using Netflow: port mirroring or streaming
Best Answer
A zero port number usually indicates that the session in question is an IP protocol that does not use port numbers. NetFlow can report on any IP session. The current list of IANA-assigned protocol numbers is available here. There's a good chance you're seeing some ICMP traffic, for example.
Depending on the version of NetFlow, there are a number of optional fields. NetFlow 5 is pretty limited, but NetFlow 9/IPFIX can include QoS, TCP flags, VLAN, and other fields, including vendor-specific fields.
I see in your comment above that your NetFlow source is inside your firewall. If your probe is on the same host/device as your firewall, many exporters report on PRE-firewall traffic, so you could well be seeing an external scan. You should also consider the possibility of a malware infection, which could result in internal scanning behavior.