jow-
commented
1 year ago Looks like IP-in-IP tunnel traffic?
Open ddddavid-he opened 1 year ago
jow-
commented
1 year ago Looks like IP-in-IP tunnel traffic?
ddddavid-he
commented
1 year ago @jow- Thanks for replying
So it is another kind of IP-in-IP traffic? There's an item in protocol mapping writes 4 0 IP-in-IP which is different from HOPOPT/0 0
jow-
commented
1 year ago Not sure, could also mean "no layer 4 protocol information available". You didn't provide any details about the setup you run the service on, but maybe your firewall setup is unusual. Compare with /proc/net/nf_conntrack to figure out which entries are reported without layer 4 protocol info (the 3rd and 4th columns in the proc file)
ddddavid-he
commented
1 year ago Okay, I'll do some further examination on that file later since I haven't found anything missing layer 4 protocol yet.
ddddavid-he
commented
1 year ago After some experiments, I notice that the HOPOPT traffic is mainly caused by torrent downloading. And the connection information looks like
ipv4 2 tcp 6 117 TIME_WAIT src=10.0.1.1 dst=46.232.211.220 sport=59657 dport=64095 packets=6 bytes=388 src=46.232.211.220 dst=125.94.202.131 sport=64095 dport=59657 packets= 4 bytes=184 [ASSURED] mark=0 zone=0 use=2in nf_conntrack
When grouped the data by protocols, I found the following traffic ranged at the top
According to
/etc/protocolsthe No.1 traffic is protocol IP or HOPOPT. I wonder what kind of traffic it exactly is and what it should be classified in layer7 column?