1.8.1 and 2.0.0n differences
Carter Bullard
carter at qosient.com
Mon Oct 9 09:14:00 EDT 2000
Hey Russell,
I was under the impression that a broadcast address
as the source is considered illegal by a router, so
anything with a 255.255.255.255 source address should
be local? Did they come from a local MAC address?
Carter
-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
Sent: Monday, October 09, 2000 12:08 AM
To: Argus (E-mail)
Subject: 1.8.1 and 2.0.0n differences
Hi Carter,
Here is a short burst of traffic that got reported rather
differently by ra in two different versions of argus.
1.8.1 sets FINWAIT and RST, 2.0.0 just sets EST. What flags were really in
those packets I don't know :( I had thought that the FR records were
generated
by lone RST packets in 1.8.
Aside: If anyone has any ideas about the significance of this traffic
I would be interested. I'm guessing that it is some kind of fallout
from an attack on 209.92.32.58 where packets with our address were
used but where the 255.255.255.255 record fits in I don't know.
BTW is there anyway we can suppress the usecs on the timestamp?
Cheers, Russell.
argus 1.8.1 ra and server:
09 Oct 00 15:45:27 tcp 209.92.32.58.23402 ?> 130.216.238.253.30286
1 0 0 0 FR
09 Oct 00 15:45:31 tcp 209.92.32.58.17675 ?> 130.216.114.162.56316
1 0 0 0 FR
09 Oct 00 15:45:31 tcp 209.92.32.58.20264 ?> 130.216.25.255.47516
1 0 0 0 FR
09 Oct 00 15:45:31 tcp 255.255.255.255.47516 ?> 209.92.32.58.20264
11 0 0 0 FR
09 Oct 00 15:45:32 tcp 209.92.32.58.39231 ?> 130.216.11.112.60519
1 0 0 0 FR
09 Oct 00 15:45:36 tcp 209.92.32.58.46564 ?> 130.216.73.78.36023
1 0 0 0 FR
09 Oct 00 15:45:39 tcp 209.92.32.58.62393 ?> 130.216.197.183.3900
1 0 0 0 FR
09 Oct 00 15:45:41 tcp 209.92.32.58.61339 ?> 130.216.219.164.34760
1 0 0 0 FR
09 Oct 00 15:45:43 tcp 209.92.32.58.18606 ?> 130.216.233.205.37246
1 0 0 0 FR
09 Oct 00 15:45:45 tcp 209.92.32.58.2192 ?> 130.216.148.72.31029
1 0 0 0 FR
09 Oct 00 15:45:49 tcp 209.92.32.58.61959 ?> 130.216.187.140.43743
1 0 0 0 FR
09 Oct 00 15:45:54 tcp 209.92.32.58.15817 ?> 130.216.101.153.56386
1 0 0 0 FR
09 Oct 00 15:45:55 tcp 209.92.32.58.39971 ?> 130.216.128.106.13535
1 0 0 0 FR
09 Oct 00 15:46:02 tcp 209.92.32.58.7927 ?> 130.216.218.159.42621
1 0 0 0 FR
09 Oct 00 15:46:03 tcp 209.92.32.58.57252 ?> 130.216.216.88.41852
1 0 0 0 FR
09 Oct 00 15:46:12 tcp 209.92.32.58.16216 ?> 130.216.209.234.59282
1 0 0 0 FR
09 Oct 00 15:46:16 tcp 209.92.32.58.4485 ?> 130.216.37.131.25495
1 0 0 0 FR
09 Oct 00 15:46:19 tcp 209.92.32.58.22294 ?> 130.216.47.108.50062
1 0 0 0 FR
09 Oct 00 15:46:19 tcp 209.92.32.58.23073 ?> 130.216.177.48.9923
1 0 0 0 FR
09 Oct 00 15:46:21 tcp 209.92.32.58.19954 ?> 130.216.184.158.51344
1 0 0 0 FR
argus 2.0.0n ra and server:
09 Oct 00 15:45:30.593265 tcp 255.255.255.255.47516 ?>
209.92.32.58.20264 2 0 128 0 R
09 Oct 00 15:45:30.594925 tcp 255.255.255.255.47516 ?>
209.92.32.58.20264 2 0 128 0 R
09 Oct 00 15:45:30.596971 tcp 255.255.255.255.47516 ?>
209.92.32.58.20264 2 0 128 0 R
09 Oct 00 15:45:30.603479 tcp 255.255.255.255.47516 ?>
209.92.32.58.20264 2 0 128 0 R
09 Oct 00 15:45:30.607711 tcp 255.255.255.255.47516 ?>
209.92.32.58.20264 2 0 128 0 R
09 Oct 00 15:45:26.483471 tcp 209.92.32.58.23402 o>
130.216.238.253.30286 1 0 64 0 E
09 Oct 00 15:45:30.500523 tcp 209.92.32.58.17675 o>
130.216.114.162.56316 1 0 64 0 E
09 Oct 00 15:45:30.578579 tcp 209.92.32.58.20264 o>
130.216.25.255.47516 1 0 64 0 E
09 Oct 00 15:45:30.615720 tcp 255.255.255.255.47516 o>
209.92.32.58.20264 1 0 64 0 R
09 Oct 00 15:45:31.220051 tcp 209.92.32.58.39231 o>
130.216.11.112.60519 1 0 64 0 E
09 Oct 00 15:45:35.570946 tcp 209.92.32.58.46564 o>
130.216.73.78.36023 1 0 64 0 E
09 Oct 00 15:45:38.099749 tcp 209.92.32.58.62393 o>
130.216.197.183.3900 1 0 64 0 E
09 Oct 00 15:45:40.127964 tcp 209.92.32.58.61339 o>
130.216.219.164.34760 1 0 64 0 E
09 Oct 00 15:45:42.822609 tcp 209.92.32.58.18606 o>
130.216.233.205.37246 1 0 64 0 E
09 Oct 00 15:45:44.399135 tcp 209.92.32.58.2192 o>
130.216.148.72.31029 1 0 64 0 E
09 Oct 00 15:45:48.444571 tcp 209.92.32.58.61959 o>
130.216.187.140.43743 1 0 64 0 E
09 Oct 00 15:45:53.144832 tcp 209.92.32.58.15817 o>
130.216.101.153.56386 1 0 64 0 E
09 Oct 00 15:45:53.928270 tcp 209.92.32.58.39971 o>
130.216.128.106.13535 1 0 64 0 E
09 Oct 00 15:46:00.997662 tcp 209.92.32.58.7927 o>
130.216.218.159.42621 1 0 64 0 E
09 Oct 00 15:46:02.548518 tcp 209.92.32.58.57252 o>
130.216.216.88.41852 1 0 64 0 E
09 Oct 00 15:46:11.495272 tcp 209.92.32.58.16216 o>
130.216.209.234.59282 1 0 64 0 E
09 Oct 00 15:46:15.690154 tcp 209.92.32.58.4485 o>
130.216.37.131.25495 1 0 64 0 E
09 Oct 00 15:46:18.329050 tcp 209.92.32.58.22294 o>
130.216.47.108.50062 1 0 64 0 E
09 Oct 00 15:46:18.366003 tcp 209.92.32.58.23073 o>
130.216.177.48.9923 1 0 64 0 E
09 Oct 00 15:46:20.319572 tcp 209.92.32.58.19954 o>
130.216.184.158.51344 1 0 64 0 E
09 Oct 00 15:46:22.263408 tcp 209.92.32.58.18024 o>
130.216.31.209.32482 1 0 64 0 E
09 Oct 00 15:46:23.485940 tcp 209.92.32.58.57253 o>
130.216.101.5.53415 1 0 64 0 E
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20001009/dda59aca/attachment.html>
More information about the argus
mailing list