Does argus record the IP ID field?

Thu Apr 26 16:30:40 EDT 2001

Hey Chris,
   Well, we do just this for many of this situations that
you mention.  If the TTL or TOS change, if the MAC addrs
change, we indicate offset errors, and fragment reassembly
problems, out of order packets, out of order fragments, etc..

   But there is not a consistent treatment of this.
Before we can implement anything, however, we need to know
what to indicate.  Any specific suggestions?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of 
> Chris Newton
> Sent: Thursday, April 26, 2001 12:58 PM
> To: Argus (E-mail); Carter Bullard; Russell Fulton
> Subject: RE: Does argus record the IP ID field?
> 
> 
> Along this line, I wonder if there is a way to add some other 
> bitsd of info to 
> argus.  Specificaly.. do you think it is possible for argus 
> to report on 
> traffic 'strangeness'?  By that I mean, saw a flow has 
> started normally, 
> nothing to raise concern... but, during the flow 1 of the 
> packets has illegal 
> tcp options set, or the TTL has changed (on that 1 packet) , or it is 
> fragmented when others in the flow were not (I presume that 
> in 1 given flow, 
> that if packets a, b, c are not fragmented, but d is, then e, 
> f, g and h are 
> not again, that this would be strange, no?).  What I am 
> getting at is this...  
> signalling possible insertion and evasion techniques used by 
> hackers to get 
> past intrusion detection systems.  There is lots of weirdness 
> tracked by argus 
> now... I'm wondering if it can be extended...   I think it 
> wouldn't be hard, 
> but... I didn't write the code :).  I figure, since we are 
> seeing all the 
> packets in a flow now anyways, we can tag the ones that are 
> weird (like 
> examples above) pretty easily.
> 
> 
> >===== Original Message From <carter at qosient.com> =====
> >Hey Russell,
> >   For all IP flows we track the ip_id, but we only report it
> >currently for some ICMP flows and fragmentOnly flows.
> >
> >   Adding it is not a problem at all.  There is a place for
> >one ip_id in the basic IP flow descriptor.  But that would
> >be only one ip_id.  In this case we could report the last src
> >or dst ip_id or just the last ip_id seen on the flow, (either
> >src or dst).
> >
> >   If you want the ip_id for both directions, I only have
> >to make a small change to the FlowAttributes data structure.
> >This will generate a version issue, but I can handle that
> >without any trouble.  In this case would you want the
> >last ip_id seen or the first one seen for the period?
> >
> >Carter
> >
> >Carter Bullard
> >QoSient, LLC
> >300 E. 56th Street, Suite 18K
> >New York, New York  10022
> >
> >carter at qosient.com
> >Phone +1 212 588-9133
> >Fax   +1 212 588-9134
> >http://qosient.com
> >
> >> -----Original Message-----
> >> From: owner-argus-info at lists.andrew.cmu.edu
> >> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of Russell
> >> Fulton
> >> Sent: Wednesday, April 25, 2001 9:16 PM
> >> To: Argus (E-mail)
> >> Subject: Does argus record the IP ID field?
> >>
> >>
> >> Subject says it all.  I am tracking some weird traffic, one of the
> >> characteristics is that all packets from several different
> >> sources have
> >> the same IP ID.  I have been capturing samples using 
> tcpdump and I am
> >> now going back through my archived data to see when this started.
> >> Having the ID would help positively identify the traffic.
> >>
> >> Cheers, Russell
> >>
> >>
> 
> _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
> 
> Chris Newton, Systems Analyst
> Computing Services, University of New Brunswick
> newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010426/6c1d9fe7/attachment.html>