Enabling and viewing tcp reports, Defining invalid tcp packet combinations – Brocade Network Advisor SAN + IP User Manual v12.3.0 User Manual
Page 1791
Brocade Network Advisor SAN + IP User Manual
1719
53-1003155-01
IP Traffic analyzer monitoring and sFlow reports
43
Enabling and viewing TCP reports
You can monitor TCP traffic to determine if there is any unusual activity on the network, such as
TCP attacks. Identifying unusual activity will aid in understanding the nature of the traffic and the
ports that are affected, so that you can take corrective actions. For example, you may decide to
disable a port on which TCP attacks are being received.
This feature is disabled by default; however, enabling the feature increases the number of distinct
flows that the Management application server must process and, therefore, increases the load on
the server. Complete the following steps to enable TCP reports.
1. Select Server > Options.
The Options dialog box displays.
2. Select IP Preferences from the Software Configurations list in the Category pane.
3. Go to the SFlowDataCollector preferences section.
4. Select the ProcessTCPFlagsData check box to monitor TCP traffic.
5. Click Apply or OK to save your work.
Once TCP reports are enabled, the following reports can be displayed to determine any usual TCP
traffic:
•
Valid TCP Flags: TCP traffic containing packets that do not have any invalid bit combinations.
•
Invalid TCP Flags: TCP traffic containing packets that have invalid bit combinations as defined
in the configuration.properties file.
Defining invalid TCP packet combinations
TCP packets can be checked to see if they contain the following control bits:
•
ACK: Acknowledgement field significant bit
•
URG: Urgent pointer field significant bit
•
PSH: Push function bit
•
RST: Reset connection bit
•
SYN: Synchronize sequence number bit
•
FIN: No more data from sender
An occurrence of two of these bits together in a TCP packet could be regarded as invalid. You
specify in the configuration.properties file which combinations are invalid combinations. By default,
the following combinations are regarded as invalid:
•
RST-SYN
•
RST-FIN
•
RST-PSH
•
RST-URG
•
FIN-SYN
Complete the following steps to change these combinations.
1. Select Server > Options.
The Options dialog box displays.