Large network traffic detected on HOPOPT/0 to port 0

[ddddavid-he]

When grouped the data by protocols, I found the following traffic ranged at the top

PROTO	PORT	CONNS	RX_BYTES	...	LAYER7
IP	0	1607268	29298871423	...
TCP	443	1770273	9361172256	...	HTTPS
TCP	80	3242169	4158756881	...	HTTP

According to /etc/protocols the No.1 traffic is protocol IP or HOPOPT.
I wonder what kind of traffic it exactly is and what it should be classified in layer7 column?

[jow-]

Looks like IP-in-IP tunnel traffic?

[ddddavid-he]

@jow- Thanks for replying

So it is another kind of IP-in-IP traffic? There's an item in protocol mapping writes 4 0 IP-in-IP which is different from HOPOPT/0 0

[jow-]

Not sure, could also mean "no layer 4 protocol information available". You didn't provide any details about the setup you run the service on, but maybe your firewall setup is unusual. Compare with /proc/net/nf_conntrack to figure out which entries are reported without layer 4 protocol info (the 3rd and 4th columns in the proc file)

[ddddavid-he]

Okay, I'll do some further examination on that file later since I haven't found anything missing layer 4 protocol yet.

[ddddavid-he]

After some experiments, I notice that the HOPOPT traffic is mainly caused by torrent downloading. And the connection information looks like

ipv4     2 tcp      6 117 TIME_WAIT src=10.0.1.1 dst=46.232.211.220 sport=59657 dport=64095      packets=6 bytes=388 src=46.232.211.220 dst=125.94.202.131 sport=64095 dport=59657 packets=     4 bytes=184 [ASSURED] mark=0 zone=0 use=2

in nf_conntrack