argus-1.8x fragment reports

Carter Bullard carter at qosient.com
Tue Nov 7 08:02:22 EST 2000


Hey Carmen,
   These reports are for fragmented flows where the first
packet in the fragment is not received by Argus.  As a result,
Argus does not know what flow the fragment belongs to, so it
generates a report for the single partially reassembled packet.

   Because fragments can be used maliciously to scan sites
and discovery routers and end systems, and because fragments
can be used to establish covert channels, Argus reports
when fragments can't be reassembled.  But they are not
necessarily dangerous.

   A fragment record prints out:

time "frag" proto src -> dst fragID #pkts expectedBytes observedBytes
maxBytes

   So, your fragment records are all from one particular host
to another that is on another network.  Argus is reporting seeing 1
packet only, with a size of 1480 bytes for each one.

   Most frag records are generated by legitimate traffic when
there is a lot of packet loss in the network.  If you see consecutive
fragIDs, and the frags are the only traffic between these two hosts
then you should be suspicious.  Otherwise its probably a result
of very high packet loss and the two hosts are not happy with
their network service.

   This style of reporting is changing in argus-2.0 to be a bit
more intuitive, but I haven't finalized the output yet.  If you
have any recommendations that would be very nice.

   We also are removing the Cisco filter support from all
the clients, and we're putting it in a single program.  If
there are some improvements (like fixing the bug) or changes
you would recommend, that would also be very nice.

Hope this helps!!!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 17A
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426


-----Original Message-----
From: Maria del Carmen Contreras Espinosa [mailto:mcconesp at cic.upo.es]
Sent: Tuesday, November 07, 2000 3:28 AM
To: Carter Bullard
Subject: Re: argus-2.0.0v


Hello

But I need help again

I tested my reports the other day and I don´t understand this, I don´t
found what is the meaning in the documentation. This was writed in 1994
and ...


I can see in my repors this


Mon 10/30 07:40:36  M   tcp  193.147.185.18.1657   ->
211.32.117.155.80    6      5       429 410      CLO
Mon 10/30 07:41:57  M   tcp  193.147.185.18.1664   ->
211.32.117.155.80    7      6       429 410      CLO
Mon 10/30 07:42:51 frag  ip  211.32.117.155        ->  193.147.185.18
40286 pk  1  ex    0  ob 1480  max 1456 TIM
Mon 10/30 07:42:51 frag  ip  211.32.117.155        ->  193.147.185.18
40289 pk  1  ex    0  ob 1480  max 1456 TIM
Mon 10/30 07:42:55 frag  ip  211.32.117.155        ->  193.147.185.18
40292 pk  1  ex    0  ob 1480  max 1456 TIM
Mon 10/30 07:42:56 frag  ip  211.32.117.155        ->  193.147.185.18
40293 pk  1  ex    0  ob 1480  max 1456 TIM
Mon 10/30 07:42:56 frag  ip  211.32.117.155        ->  193.147.185.18
40294 pk  1  ex    0  ob 1480  max 1456 TIM
Mon 10/30 07:42:56 frag  ip  211.32.117.155        ->  193.147.185.18
40295 pk  1  ex    0  ob 1480  max 1456 TIM
Mon 10/30 07:42:56 frag  ip  211.32.117.155        ->  193.147.185.18
40296 pk  1  ex    0  ob 1480  max 1456 TIM
Mon 10/30 07:42:56 frag  ip  211.32.117.155        ->  193.147.185.18
40297 pk  1  ex    0  ob 24  max   24 TIM
Mon 10/30 07:43:00 frag  ip  211.32.117.155        ->  193.147.185.18
40300 pk  1  ex    0  ob 1480  max 1456 TIM
Mon 10/30 07:43:01 frag  ip  211.32.117.155        ->  193.147.185.18
40301 pk  1  ex    0  ob 1480  max 1456 TIM
Mon 10/30 07:43:01 frag  ip  211.32.117.155        ->  193.147.185.18
40302 pk  1  ex    0  ob 1480  max 1456 TIM
Mon 10/30 07:43:01 frag  ip  211.32.117.155        ->  193.147.185.18
40303 pk  1  ex    0  ob 1480  max 1456 TIM
Mon 10/30 07:42:40  M   tcp  193.147.185.18.1669   ->
211.32.117.155.80    6      5       949 576      CLO

What is the meaning of frag? Is dangerus this?


Thank you

Carmen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20001107/3edd1eb6/attachment.html>


More information about the argus mailing list