1.8.1 and 2.0.0n differences
Carter Bullard
carter at qosient.com
Mon Oct 9 09:07:24 EDT 2000
Hey Russell,
Yep, I just found a problem with first packet processing
of TH_RST. We were looking for only the TH_RST bit set,
which is not right. The 'E' you see is/are erroneous.
This is now fixed in 2.0.0o which should be out today.
We do/will have the accumulated raw flags bits in the argus
record so you will be able to do what you want to do.
But that is for 2.0.0o. I need some way of reporting it,
so yet another flag. We'll discuss this later this week,
or next, as there are a number of new features to consider
and possible a few to get rid of.
Suppressing the usec. So I've changed it so that you
turn on usec reporting with the "-U precision" option. Also
in 2.0.0o.
Carter
-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
Sent: Monday, October 09, 2000 12:08 AM
To: Argus (E-mail)
Subject: 1.8.1 and 2.0.0n differences
Hi Carter,
Here is a short burst of traffic that got reported rather
differently by ra in two different versions of argus.
1.8.1 sets FINWAIT and RST, 2.0.0 just sets EST. What flags were really in
those packets I don't know :( I had thought that the FR records were
generated
by lone RST packets in 1.8.
Aside: If anyone has any ideas about the significance of this traffic
I would be interested. I'm guessing that it is some kind of fallout
from an attack on 209.92.32.58 where packets with our address were
used but where the 255.255.255.255 record fits in I don't know.
BTW is there anyway we can suppress the usecs on the timestamp?
Cheers, Russell.
argus 1.8.1 ra and server:
09 Oct 00 15:45:27 tcp 209.92.32.58.23402 ?> 130.216.238.253.30286
1 0 0 0 FR
09 Oct 00 15:45:31 tcp 209.92.32.58.17675 ?> 130.216.114.162.56316
1 0 0 0 FR
09 Oct 00 15:45:31 tcp 209.92.32.58.20264 ?> 130.216.25.255.47516
1 0 0 0 FR
09 Oct 00 15:45:31 tcp 255.255.255.255.47516 ?> 209.92.32.58.20264
11 0 0 0 FR
09 Oct 00 15:45:32 tcp 209.92.32.58.39231 ?> 130.216.11.112.60519
1 0 0 0 FR
09 Oct 00 15:45:36 tcp 209.92.32.58.46564 ?> 130.216.73.78.36023
1 0 0 0 FR
09 Oct 00 15:45:39 tcp 209.92.32.58.62393 ?> 130.216.197.183.3900
1 0 0 0 FR
09 Oct 00 15:45:41 tcp 209.92.32.58.61339 ?> 130.216.219.164.34760
1 0 0 0 FR
09 Oct 00 15:45:43 tcp 209.92.32.58.18606 ?> 130.216.233.205.37246
1 0 0 0 FR
09 Oct 00 15:45:45 tcp 209.92.32.58.2192 ?> 130.216.148.72.31029
1 0 0 0 FR
09 Oct 00 15:45:49 tcp 209.92.32.58.61959 ?> 130.216.187.140.43743
1 0 0 0 FR
09 Oct 00 15:45:54 tcp 209.92.32.58.15817 ?> 130.216.101.153.56386
1 0 0 0 FR
09 Oct 00 15:45:55 tcp 209.92.32.58.39971 ?> 130.216.128.106.13535
1 0 0 0 FR
09 Oct 00 15:46:02 tcp 209.92.32.58.7927 ?> 130.216.218.159.42621
1 0 0 0 FR
09 Oct 00 15:46:03 tcp 209.92.32.58.57252 ?> 130.216.216.88.41852
1 0 0 0 FR
09 Oct 00 15:46:12 tcp 209.92.32.58.16216 ?> 130.216.209.234.59282
1 0 0 0 FR
09 Oct 00 15:46:16 tcp 209.92.32.58.4485 ?> 130.216.37.131.25495
1 0 0 0 FR
09 Oct 00 15:46:19 tcp 209.92.32.58.22294 ?> 130.216.47.108.50062
1 0 0 0 FR
09 Oct 00 15:46:19 tcp 209.92.32.58.23073 ?> 130.216.177.48.9923
1 0 0 0 FR
09 Oct 00 15:46:21 tcp 209.92.32.58.19954 ?> 130.216.184.158.51344
1 0 0 0 FR
argus 2.0.0n ra and server:
09 Oct 00 15:45:30.593265 tcp 255.255.255.255.47516 ?>
209.92.32.58.20264 2 0 128 0 R
09 Oct 00 15:45:30.594925 tcp 255.255.255.255.47516 ?>
209.92.32.58.20264 2 0 128 0 R
09 Oct 00 15:45:30.596971 tcp 255.255.255.255.47516 ?>
209.92.32.58.20264 2 0 128 0 R
09 Oct 00 15:45:30.603479 tcp 255.255.255.255.47516 ?>
209.92.32.58.20264 2 0 128 0 R
09 Oct 00 15:45:30.607711 tcp 255.255.255.255.47516 ?>
209.92.32.58.20264 2 0 128 0 R
09 Oct 00 15:45:26.483471 tcp 209.92.32.58.23402 o>
130.216.238.253.30286 1 0 64 0 E
09 Oct 00 15:45:30.500523 tcp 209.92.32.58.17675 o>
130.216.114.162.56316 1 0 64 0 E
09 Oct 00 15:45:30.578579 tcp 209.92.32.58.20264 o>
130.216.25.255.47516 1 0 64 0 E
09 Oct 00 15:45:30.615720 tcp 255.255.255.255.47516 o>
209.92.32.58.20264 1 0 64 0 R
09 Oct 00 15:45:31.220051 tcp 209.92.32.58.39231 o>
130.216.11.112.60519 1 0 64 0 E
09 Oct 00 15:45:35.570946 tcp 209.92.32.58.46564 o>
130.216.73.78.36023 1 0 64 0 E
09 Oct 00 15:45:38.099749 tcp 209.92.32.58.62393 o>
130.216.197.183.3900 1 0 64 0 E
09 Oct 00 15:45:40.127964 tcp 209.92.32.58.61339 o>
130.216.219.164.34760 1 0 64 0 E
09 Oct 00 15:45:42.822609 tcp 209.92.32.58.18606 o>
130.216.233.205.37246 1 0 64 0 E
09 Oct 00 15:45:44.399135 tcp 209.92.32.58.2192 o>
130.216.148.72.31029 1 0 64 0 E
09 Oct 00 15:45:48.444571 tcp 209.92.32.58.61959 o>
130.216.187.140.43743 1 0 64 0 E
09 Oct 00 15:45:53.144832 tcp 209.92.32.58.15817 o>
130.216.101.153.56386 1 0 64 0 E
09 Oct 00 15:45:53.928270 tcp 209.92.32.58.39971 o>
130.216.128.106.13535 1 0 64 0 E
09 Oct 00 15:46:00.997662 tcp 209.92.32.58.7927 o>
130.216.218.159.42621 1 0 64 0 E
09 Oct 00 15:46:02.548518 tcp 209.92.32.58.57252 o>
130.216.216.88.41852 1 0 64 0 E
09 Oct 00 15:46:11.495272 tcp 209.92.32.58.16216 o>
130.216.209.234.59282 1 0 64 0 E
09 Oct 00 15:46:15.690154 tcp 209.92.32.58.4485 o>
130.216.37.131.25495 1 0 64 0 E
09 Oct 00 15:46:18.329050 tcp 209.92.32.58.22294 o>
130.216.47.108.50062 1 0 64 0 E
09 Oct 00 15:46:18.366003 tcp 209.92.32.58.23073 o>
130.216.177.48.9923 1 0 64 0 E
09 Oct 00 15:46:20.319572 tcp 209.92.32.58.19954 o>
130.216.184.158.51344 1 0 64 0 E
09 Oct 00 15:46:22.263408 tcp 209.92.32.58.18024 o>
130.216.31.209.32482 1 0 64 0 E
09 Oct 00 15:46:23.485940 tcp 209.92.32.58.57253 o>
130.216.101.5.53415 1 0 64 0 E
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20001009/09afd085/attachment.html>
More information about the argus
mailing list