topic cpview, tcp/1024, and sk116876 in Firewall and Security Management

cpview, tcp/1024, and sk116876

D_TK — Mon, 18 Sep 2023 21:20:14 GMT

I've noticed on one cluster that the CPU utilization is higher than normal and the top protocol is always (and significantly) tcp/1024. Per that SK, it seems to be saying that tcp/1024 in cpview is "represents TCP high ports in general, and not specifically TCP port 1024." Is there a way see exactly what traffic is being thrown into this high cpu utilization bucket in cpview?

Thanks

Re: cpview, tcp/1024, and sk116876

the_rock — Mon, 18 Sep 2023 22:26:26 GMT

I had TAC case last year for customer for this exact issue and guy gave me the same sk and closed the case, that was it. Never bothered to do little more research, maybe ask someone, nothing. If you ever find out the way to tell what port(s) its referring to, would be great.

Andy

Re: cpview, tcp/1024, and sk116876

PhoneBoy — Mon, 18 Sep 2023 22:29:43 GMT

I presume you'd have to parse the connections table to see what port(s) are being used (output of fw tab -t connections -u).
The firth argument in the output should be the port in hex, and if it's a TCP connection, then the sixth argument will be 6 (the protocol number for TCP).

Re: cpview, tcp/1024, and sk116876

Elad_Chomsky — Tue, 19 Sep 2023 08:00:23 GMT

Hi @D_TK ,

The view works by categorizing ports to specific protocols and presenting only those. Known and common protocols will be presented. We can expend this view to present unknown ports as well, or add new groups. Please open an official RFE, and we will promote it from there.