It seems I encountered a new problem. Today I'm getting NTP-requests, but the firewall doesn't catch them and that's what I see in tcpdump when I'm filtering it by "port 123":
12:22:51.547147 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.550681 In IP [|ip]
12:22:51.551550 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.553032 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.553515 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.560009 In IP [|ip]
12:22:51.562513 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.564885 In IP [|ip]
12:22:51.568434 In IP [|ip]
12:22:51.572323 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.574330 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.578353 In IP [|ip]
12:22:51.584414 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.588401 In IP [|ip]
12:22:51.593470 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.599083 In IP [|ip]
12:22:51.599443 In IP [|ip]
12:22:51.602268 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.603248 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.604686 In IP [|ip]
12:22:51.606172 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.614160 In IP [|ip]
12:22:51.615223 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.622988 In IP [|ip]
12:22:51.624183 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.634638 In IP [|ip]
12:22:51.635491 Out IP truncated-ip - 336 bytes missing! 193.151.90.254.ntp > ddos-guard.net.http: NTPv2, Reserved, length 368
12:22:51.641621 In IP [|ip]
How to understand where are incoming packets coming from?
An "extensive" view of such packet looks this way:
12:27:12.137484 In
Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 132
Logical Interface Index Extension TLV #4, length 4, value: 70
-----original packet-----
00:07:0d:xx:xx:xx > 2c:21:72:xx:xx:xx, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 240, id 10382, offset 0, flags [none], proto: UDP (17), length: 40) [|ip]
00:07:0d:xx:xx:xx is a MAC-address of my uplink, so I understand that these packets are coming from the Internet, but why I can't see their source-address and why the firewall can't catch it?
Thank you very much for hints!