[Cflowd] Uknown ports & protocols

From: Edwin D. Vinas (edwinv@asti.dost.gov.ph)
Date: Mon Feb 10 2003 - 18:40:11 PST

Next message: Lajber Zoltan: "[Cflowd] Re: [flow-tools] Typical Hardware"

Previous message: Edson Manners: "[Cflowd] Typical Hardware"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Im currently using a tool called FlowSQL which analyzes and stores the flow-exports from Cisco routers in a Postgresql database. This Perl program scans the flows created by arts using a cflow perl module. Its now working fine except one thing -- i can't get all the correct ports or protocol descriptions. If I generate a "top sources by bytes", for example, these unknown ports are usually on top of the list. How do I properly determine the type of protocol based on a packet fields?

This is a typical netflow data which I don't know the "unknown" port/protocol name:
source_ip | dest_ip | src_port | dest_port | protocol
------------------+-------------------+----------+-----------+--------------
80.15.15.126/32 | 202.90.159.152/32 | 1065 | 1434 | udp unknown
24.59.173.134/32 | 202.90.139.3/32 | 12897 | 1434 | udp unknown
65.33.52.48/32 | 202.90.129.141/32 | 1760 | 1434 | udp unknown
202.90.129.66/32 | 10.10.5.38/32 | 0 | 781 | icmp unknown
66.25.49.77/32 | 202.90.135.228/32 | 1772 | 1434 | udp unknown
68.145.129.46/32 | 202.90.157.73/32 | 2095 | 1434 | udp unknown
24.194.130.50/32 | 202.90.157.181/32 | 3152 | 1434 | udp unknown
12.234.19.161/32 | 202.90.159.56/32 | 2528 | 1434 | udp unknown
203.190.74.34/32 | 202.90.128.23/32 | 59000 | 1720 | tcp unknown
212.9.160.38/32 | 202.90.128.4/32 | 38946 | 33495 | udp unknown
(10 rows)
Source: http://noc.asti.dost.gov.ph

Or is there a better way of determining the protocol name based on netflow data (source port / dest_port)?
Do you know of a complete list of this ports information & their names?

god bless,
--edwin

-----------------------------------------------------------------
Life is the "art of perseverance", the "power
of dreaming" and the "science of praying"...

-Edwin D. Viñas
edwinv@asti.dost.gov.ph
http://www.geocities.com/edwin_vinas
Science Research Specialist I
PREGINET Project www.preginet.net
Advanced Science and Technology Institute
UP Technopark Complex, CP Garcia Ave, Diliman,
Quezon City Philippines
-----------------------------------------------------------------

_______________________________________________
Cflowd mailing list
Cflowd@caida.org
http://login.caida.org/mailman/listinfo/cflowd

Next message: Lajber Zoltan: "[Cflowd] Re: [flow-tools] Typical Hardware"
Previous message: Edson Manners: "[Cflowd] Typical Hardware"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 10 2003 - 18:52:29 PST