Using a CCR2004
/ip/traffic-flow export:
Code: Select all
/ip traffic-flow
set cache-entries=256k enabled=yes
/ip traffic-flow target
add dst-address=172.16.16.11 port=4739 src-address=172.16.96.1 version=ipfix
steps to reproduce:
1) Configure flow export (not sure if it matters but config I am using is above)
2) start a packet capture to capture IPFIX traffic (i am using a packet capture on device 172.16.16.11 to capture all traffic on port 4739 (my configured port)
3) attempt to establish tcp session with an IP that does not exist by either opening a web browser and navigating to http://somefakeip or nmap -p 80 -Pn notarealhost
4) I am using the following filter in wireshark : cflow.srcaddr == 172.16.202.186. I would expect nothing to show up, however I see flows reported for anytime something attempts a tcp handshake
Worth noting ICMP traffic does not appear to trigger this, from what Ive seen so far its only tcp traffic that triggers it.
Edit: Additional Findings
Was also able to reproduce this on demand using a 2nd CCR2004 as well as a RB4011, so it appears the behavior is consistently producible.