missed pings ??
Carter Bullard
cbullard at nortelnetworks.com
Mon Oct 4 18:41:26 EDT 1999
Hey Russell,
Its hard to figure it out from way over here ;o) The interesting
thing is that the last 6 records from both are consistent, especially
the times, so there seems to be something that is correlatable. Hmmm.
Echo and Echo Response packets get collapsed into flows of their
own, and get reported based on an ICMP specific timeout timer, so the
reports maybe being generated much later than you anticipate.
There are switches that change the ICMP behavior. It maybe
that if there is a problem it is in this logic. Run argus-1.8
with the -R option. This will flush any Echo Request/Response
volleys as soon as they are completed. This may bring your
Echo's back ? More information would be appreciated.
Carter
Carter Bullard
Principal Consultant/Engineer
Nortel Networks
320 Park Avenue 16th Floor
New York, New York 10022
Email cbullard at nortelnetworks.com
Phone +1 212 317 4230
Fax +1 212 317 4324
Pager +1 800 217-7496
> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
> Sent: Monday, October 04, 1999 4:40 PM
> To: Bullard, Carter [NYPAR:DS46-I:EXCH]
> Subject: missed pings ??
>
>
> Hi Carter,
> Here is an odd one.
> As I think I have told you before we still run an copy of 1.5
> argus on
> an old semi-retired SUN which is operated by then data
> network group.
> We run our scan detection system on both systems.
>
> Early yesterday morning the 1.5 argus detected a bunch of pings from
> 210.114.120.122 but all 1.8 detected were a few URHs generated by the
> scan. (The 1.8 is not the latest one, but the one before
> that i.e. the
> 1st freeze).
>
> It looks like there might be some problem with the code that
> collapses
> the ping streams...
>
> Here is the tail end of the 1.5 output:
>
> Tue 10/05 01:52:30 icmp 210.114.120.122 ->
> 130.216.246.128 ECO
> Tue 10/05 01:52:30 icmp 210.114.120.122 ->
> 130.216.246.191 ECO
> Tue 10/05 01:52:30 icmp 210.114.120.122 ->
> 130.216.246.192 ECO
> Tue 10/05 01:52:30 icmp 210.114.120.122 ->
> 130.216.247.63 ECO
> Tue 10/05 01:52:30 icmp 210.114.120.122 ->
> 130.216.247.64 ECO
> Tue 10/05 01:52:30 icmp 210.114.120.122 ->
> 130.216.247.127 ECO
> Tue 10/05 01:52:30 icmp 210.114.120.122 ->
> 130.216.247.128 ECO
> Tue 10/05 01:52:30 icmp 210.114.120.122 ->
> 130.216.247.191 ECO
> Tue 10/05 01:52:30 icmp 210.114.120.122 ->
> 130.216.247.192 ECO
> Tue 10/05 01:52:30 icmp 210.114.120.122 ->
> 130.216.248.63 ECO
> Tue 10/05 01:52:31 icmp 210.114.120.122 ->
> 130.216.248.64 ECO
> Tue 10/05 01:52:31 icmp 210.114.120.122 ->
> 130.216.248.127 ECO
> Tue 10/05 01:52:31 icmp 210.114.120.122 ->
> 130.216.248.128 ECO
> Tue 10/05 01:52:31 icmp 210.114.120.122 ->
> 130.216.248.191 ECO
> Tue 10/05 01:52:31 icmp 210.114.120.122 ->
> 130.216.248.192 ECO
> Tue 10/05 01:52:31 icmp 210.114.120.122 ->
> 130.216.249.63 ECO
> Tue 10/05 01:52:31 icmp 210.114.120.122 ->
> 130.216.249.127 ECO
> Tue 10/05 01:52:31 icmp 210.114.120.122 ->
> 130.216.249.64 ECO
> Tue 10/05 01:52:31 icmp 210.114.120.122 ->
> 130.216.249.128 ECO
> Tue 10/05 01:52:31 icmp 210.114.120.122 ->
> 130.216.249.191 ECO
> Tue 10/05 01:52:31 icmp 210.114.120.122 ->
> 130.216.249.192 ECO
> Tue 10/05 01:52:33 icmp 130.216.4.23 ->
> 210.114.120.122 URH
> Tue 10/05 01:52:33 icmp 130.216.4.23 ->
> 210.114.120.122 URH
> Tue 10/05 01:52:33 icmp 130.216.4.23 ->
> 210.114.120.122 URH
> Tue 10/05 01:52:33 icmp 130.216.4.23 ->
> 210.114.120.122 URH
> Tue 10/05 01:52:33 icmp 130.216.4.23 ->
> 210.114.120.122 URH
> Tue 10/05 01:52:33 icmp 130.216.4.23 ->
> 210.114.120.122 URH
>
> and this is all that 1.8 records:
>
> Tue 10/05 01:51:22 icmp 130.216.191.119 ->
> 210.114.120.122 1 0 host 130.216.32.63 URH
> Tue 10/05 01:51:26 icmp 130.216.191.119 ->
> 210.114.120.122 1 0 host 130.216.32.64 URH
> Tue 10/05 01:51:36 icmp 130.216.191.119 ->
> 210.114.120.122 1 0 host 130.216.39.63 URH
> Tue 10/05 01:51:39 icmp 130.216.191.119 ->
> 210.114.120.122 1 0 host 130.216.39.64 URH
> Tue 10/05 01:52:17 icmp 130.216.188.254 ->
> 210.114.120.122 6 0 timexceed in-transit TIM
> Tue 10/05 01:52:33 icmp 130.216.4.23 ->
> 210.114.120.122 1 0 host 130.216.246.192 URH
> Tue 10/05 01:52:33 icmp 130.216.4.23 ->
> 210.114.120.122 1 0 host 130.216.246.191 URH
> Tue 10/05 01:52:33 icmp 130.216.4.23 ->
> 210.114.120.122 1 0 host 130.216.246.128 URH
> Tue 10/05 01:52:33 icmp 130.216.4.23 ->
> 210.114.120.122 1 0 host 130.216.246.127 URH
> Tue 10/05 01:52:33 icmp 130.216.4.23 ->
> 210.114.120.122 1 0 host 130.216.246.64 URH
> Tue 10/05 01:52:33 icmp 130.216.4.23 ->
> 210.114.120.122 1 0 host 130.216.246.63 URH
>
> This is quite strange because I can't see anything odd about
> this traffic. I know that 1.8 is faithfully recording single
> pings in other contexts...
>
> I am sure I have seen scans like this recently (pings to the
> /25, /26, /27 broadcast addresses) which were logged by more recent
> versions of Argus.
>
> Cheers, Russell.
>
>
>
More information about the argus
mailing list