Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

0 Bytes packets seen on pix.

I am seeing lot of 0 Bytes packets in 'Show connections" output of the pix.

Servers behind pix are internet web servers and firewall is internet firewall.

I belive 0 Bytes packets are threat, but not sure whether the packets are sent by the servers to the outside world or it is recieveing these 0 Bytes packets.

Few lines of "show conn | inc Bytes "

ntf01# sh conn | inc Bytes 0

TCP out 148.104.5.2:10714 in x.x.171.166:80 idle 0:04:30 Bytes 0 flags U

TCP out 64.8.58.90:12419 in x.x.171.166:80 idle 0:34:02 Bytes 0 flags U

TCP out 71.98.79.104:61346 in x.x.171.166:80 idle 0:14:24 Bytes 0 flags U

TCP out 64.8.58.90:12239 in x.x.171.166:80 idle 0:33:12 Bytes 0 flags U

TCP out 208.141.82.4:15729 in x.x.171.167:80 idle 0:23:35 Bytes 0 flags UB

TCP out 128.122.92.235:1343 in x.x.171.166:80 idle 0:01:58 Bytes 0 flags aB

TCP out 209.208.224.72:25 in x.x.133.178:3032 idle 0:01:26 Bytes 0 flags saA

TCP out 172.16.1.170:5024 in x.x.133.254:9369 idle 0:01:49 Bytes 0 flags saA

3 REPLIES
Purple

Re: 0 Bytes packets seen on pix.

HI Anand,

Connections that are initiated from the outside will be displayed with a "B" flag. In the output you have given, only two of the connections have the B flag. The rest of them have been initiated from your inside hosts.

Hope that helps - pls rate the post if it does.

Paresh

New Member

Re: 0 Bytes packets seen on pix.

Hi Paresh,

I run capture on the interface on which servers showing U flag are connected, but the capture shows the first SYN from outside host.There are no initial SYN seen on firewall interface from server.

New Member

Re: 0 Bytes packets seen on pix.

That doesn't indicate 0 byte packets - which would be impossible. It does indicate how many bytes have been transferred over that established (or even "un-established" saA) connection. Get used to understanding the direction of your traffic (see link below).

I also recommend you get familiar with syslog - instead of using the cli to analyze connections - as it can be frustrating trying to keep track of those that open and close often and quickly.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1187542

123
Views
0
Helpful
3
Replies