Argus Flow reversal with ECRs ??

Neil Long neil.long at computing-services.oxford.ac.uk
Wed Feb 16 06:57:05 EST 2000 

I get a similar problem but with 1.8. There seems to be a difference 
of opinion between ra and fullra, e.g.

ra 

Wed 02/16 10:00:00     icmp   203.75.203.14       <->      163.1.0.90       1   
   1                          ECR
Wed 02/16 09:54:16     icmp   203.75.203.14       <->      163.1.0.90       323 
   322                        ECO
Wed 02/16 10:00:01     icmp   203.75.203.14       <->      163.1.0.90       327 
   338                        ECR


fullra

Wed 02/16 10:00:00     icmp      163.1.0.90       <->   203.75.203.14       1   
   1                          UNK
Wed 02/16 09:54:16     icmp   203.75.203.14       <->      163.1.0.90       323 
   322                        UNK
Wed 02/16 10:00:01     icmp      163.1.0.90       <->   203.75.203.14       327 
   338                        UNK


tcpdump (yes! for once the host is still sending!! why is another matter 
but who cares)

11:42:20.483525 203.75.203.14 > 163.1.0.90: icmp: echo request
11:42:20.486847 163.1.0.90 > 203.75.203.14: icmp: echo reply
11:42:21.493610 203.75.203.14 > 163.1.0.90: icmp: echo request
11:42:21.494700 163.1.0.90 > 203.75.203.14: icmp: echo reply
11:42:22.497706 203.75.203.14 > 163.1.0.90: icmp: echo request
11:42:22.520518 163.1.0.90 > 203.75.203.14: icmp: echo reply
11:42:23.509260 203.75.203.14 > 163.1.0.90: icmp: echo request
11:42:23.510441 163.1.0.90 > 203.75.203.14: icmp: echo reply
11:42:24.985959 203.75.203.14 > 163.1.0.90: icmp: echo request
11:42:24.987098 163.1.0.90 > 203.75.203.14: icmp: echo reply
11:42:25.990336 203.75.203.14 > 163.1.0.90: icmp: echo request
11:42:25.991470 163.1.0.90 > 203.75.203.14: icmp: echo reply
11:42:26.988100 203.75.203.14 > 163.1.0.90: icmp: echo request
11:42:26.990004 163.1.0.90 > 203.75.203.14: icmp: echo reply
11:42:27.987377 203.75.203.14 > 163.1.0.90: icmp: echo request
11:42:27.988892 163.1.0.90 > 203.75.203.14: icmp: echo reply
11:42:28.987739 203.75.203.14 > 163.1.0.90: icmp: echo request
11:42:28.989776 163.1.0.90 > 203.75.203.14: icmp: echo reply

ra then gives

Wed 02/16 11:42:10     icmp   203.75.203.14       <->      163.1.0.90       340 
   333                        ECO

more verbose and looking at sequence numbers

the initiator is 203.75.203.14 and ra seems to be consistent with 1.8 
although fullra may have a problem.

Neil

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Dr Neil J Long, Computing Services, University of Oxford
 13 Banbury Road, Oxford, OX2 6NN, UK Tel:+44 1865 273232 Fax:+44 1865 273275
 EMail:       Neil.Long at computing-services.oxford.ac.uk  
 PGP:    ID 0xE88EF71F    OxCERT: oxcert at ox.ac.uk PGP: ID 0x4B11561D

More information about the argus mailing list