TCP flags set in UDP flow

[tvdhout]

I am analyzing some SFLOW capture files with nfdump and in some UDP flows it says some TCP flags are on. Anonymized example:

time_start            2019-11-23 15:11:04
time_end              2019-11-23 15:11:04
source_address        24.80.144.38
destination_address   33.101.11.87
source_port           53
destination_port      19184
protocol              UDP
tcp_flags             ...AP...
source_type_of_service 0
nr_packets            24000
nr_bytes              28304000
destination_type_of_service 0
etc.

How do I interpret this? Is it in the data? There are more rows like this. I can't make sense of a UDP flow with TCP flags. Any help is appreciated.

[piorek94]

Hi,

UDP flows do not have TCP flags set. It is the result of the way of recording and storing information about flows by nfdump - it this case you can assume that it artifact.

[phaag]

nfdump only stores what the exporter sends. If the exporter does not properly clean the flags before sending the flows, you get this result. So it's not a question of nfdump, but the exporter