Netflow records with Destination Ports 1025,257 and Protocol as ipv6-icmp

Said Jawad

3/18/23, 9:21 PM

I have some Netflow records from a bunch of routers. The records contain IPv6 flows and there are entries with protocol as ipv6-icmp and their destination port values as 0, 1025 and 257. I know from this link that the value of 0 for ipv6-icmp in netflow indicates an echo reply. Is there any resource to find the meaning of the ipv6-icmp-1025 and ipv6-icmp-257?

0 + 0

router

ipv6

netflow

icmpv6

Ron Maupin

3/18/23, 9:34 PM

[RFC 4443](https://datatracker.ietf.org/doc/html/rfc4443) explains ICMPv6 Types and Codes, but 0, 1025 and 257 are not ICMPv6 Types. Also, ICMP does not use ports, so I am not sure what you mean by port numbers.

Said Jawad

3/19/23, 10:07 AM

I know that ICMPv6 does not use (TCP/UDP) port numbers and ICMPv6 has its own types. However, in my Netflow dataset, it seems that Netflow is overloading the destination port number field, which is normally used for TCP/UDP flows, to indicate the ICMPv6 message type. At first, I also thought that those values are the ICMPv6 message types, as indicated in the RFC, but no. Please have a look at the link that I've posted in the question.

Score:1

Server

John Mahowald

3/18/23, 9:39 PM

ICMP and ICMPv6 do not have port numbers. Possibly netflow is using 0 to indicate this is not a UDP or TCP flow.

Standard types and codes are in IANA registries. In v6, type 0 actually is reserved, and would be invalid on the wire. And as these are 8 bit fields, they only go up to 256.

These do not map obviously to ICMP. Possibly some other logging or packet capture would be better at analyzing it.

0 + 0

Score:0

Server

davidhcefx

10/13/23, 3:27 AM

I think Netflow is overloading the destination port to represent ICMP type and code, and the format is

dPort = icmp_type << 8 + icmp_code

Here's an article that supports this fact: Detecting Worms and Abnormal Activities with NetFlow, Part 2. However, 1025 (type:4, code:1) and 257 (type:1, code:1) doesn't seem to map to valid ICMP messages, so maybe there's other encoding logic behind.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Netflow records with Destination Ports 1025,257 and Protocol as ipv6-icmp

TH: บันทึก Netflow ด้วยพอร์ตปลายทาง 1025,257 และโปรโตคอลเป็น ipv6-icmp

RO: Înregistrări Netflow cu porturile de destinație 1025.257 și protocol ca ipv6-icmp

RU: Записи Netflow с портами назначения 1025,257 и протоколом как ipv6-icmp

VI: Bản ghi Netflow với Cổng đích 1025.257 và Giao thức dưới dạng ipv6-icmp

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.