Bug in Argus 2.0.3??, and possibly others (not reporting on some traffic)

Chris Newton newton at unb.ca
Sun Oct 14 23:02:13 EDT 2001 

Here are a Xmas scan, and a Fyn scan.  Obviously, text isn't the best manner 
to relay the tcpdump files,.. but I thought I post this for now.


  Here is what tcpdump saw, on the attacking machine, when doing a -sF (FYN 
scan):

[root at socrates ~]$ /usr/sbin/tcpdump -r test |more
23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.2016: F 
0:0(0) win 2048
23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.1511: F 
0:0(0) win 2048
23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 
131.202.160.2.cmip-agent: F 0:0(0) win 2048
23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.349: F 
0:0(0) win 2048
23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.omirr: F 
0:0(0) win 2048
23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.414: F 
0:0(0) win 2048
23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.1526: F 
0:0(0) win 2048
23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.1533: F 
0:0(0) win 2048
23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.285: F 
0:0(0) win 2048
23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.594: F 
0:0(0) win 2048
23:45:01.092961 eth0 < 131.202.160.2.2016 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.092961 eth0 < 131.202.160.2.1511 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.092961 eth0 < 131.202.160.2.cmip-agent > 
socrates.whitelight.ca.43634: R 0:0(0) ack 1 win 2048
23:45:01.092961 eth0 < 131.202.160.2.349 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.092961 eth0 < 131.202.160.2.omirr > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.102961 eth0 < 131.202.160.2.414 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.102961 eth0 < 131.202.160.2.1526 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.102961 eth0 < 131.202.160.2.1533 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.102961 eth0 < 131.202.160.2.285 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.102961 eth0 < 131.202.160.2.594 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.5300: F 
0:0(0) win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.phonebook: 
F 0:0(0) win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.711: F 
0:0(0) win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.795: F 
0:0(0) win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.936: F 
0:0(0) win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.886: F 
0:0(0) win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.165: F 
0:0(0) win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.402: F 
0:0(0) win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.181: F 
0:0(0) win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.1401: F 
0:0(0) win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.1385: F 
0:0(0) win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.570: F 
0:0(0) win 2048
23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.183: F 
0:0(0) win 2048
23:45:01.112961 eth0 < 131.202.160.2.5300 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.122961 eth0 < 131.202.160.2.phonebook > socrates.whitelight.ca.43634: 
R 0:0(0) ack 1 win 2048
23:45:01.122961 eth0 < 131.202.160.2.711 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.122961 eth0 < 131.202.160.2.795 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.122961 eth0 < 131.202.160.2.936 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.122961 eth0 < 131.202.160.2.886 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.132961 eth0 < 131.202.160.2.165 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.132961 eth0 < 131.202.160.2.402 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.132961 eth0 < 131.202.160.2.181 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.132961 eth0 < 131.202.160.2.1401 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.132961 eth0 < 131.202.160.2.1385 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.132961 eth0 < 131.202.160.2.570 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.132961 eth0 < 131.202.160.2.183 > socrates.whitelight.ca.43634: R 
0:0(0) ack 1 win 2048
23:45:01.132961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.987: F 
0:0(0) win 2048
23:45:01.132961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.8009: F 
0:0(0) win 2048
23:45:01.132961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.981: F 
0:0(0) win 2048
23:45:01.132961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.ldaps: F 
0:0(0) win 2048
23:45:01.132961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.305: F 
0:0(0) win 2048
23:45:01.142961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.856: F 
0:0(0) win 2048
23:45:01.142961 eth0 > socrates.whitelight.ca.43634 > 131.202.160.2.294: F 
0:0(0) win 2048
.... clipped


here is stuff from a -sX (christmas tree scan (all flags):

[root at socrates ~]$ /usr/sbin/tcpdump -r test | more
23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.daytime: 
FP 0:0(0) win 3072 urg 0
23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.1453: FP 
0:0(0) win 3072 urg 0
23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.198: FP 
0:0(0) win 3072 urg 0
23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.642: FP 
0:0(0) win 3072 urg 0
23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.6142: FP 
0:0(0) win 3072 urg 0
23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.at-rtmp: 
FP 0:0(0) win 3072 urg 0
23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.147: FP 
0:0(0) win 3072 urg 0
23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.1487: FP 
0:0(0) win 3072 urg 0
23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.1446: FP 
0:0(0) win 3072 urg 0
23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.745: FP 
0:0(0) win 3072 urg 0
23:50:59.812961 eth0 < 131.202.160.2.daytime > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.822961 eth0 < 131.202.160.2.1453 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.822961 eth0 < 131.202.160.2.198 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.822961 eth0 < 131.202.160.2.642 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.822961 eth0 < 131.202.160.2.6142 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.822961 eth0 < 131.202.160.2.at-rtmp > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.822961 eth0 < 131.202.160.2.147 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.832961 eth0 < 131.202.160.2.1487 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.832961 eth0 < 131.202.160.2.1446 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.832961 eth0 < 131.202.160.2.745 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.386: FP 
0:0(0) win 3072 urg 0
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.598: FP 
0:0(0) win 3072 urg 0
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.https: FP 
0:0(0) win 3072 urg 0
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.451: FP 
0:0(0) win 3072 urg 0
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.364: FP 
0:0(0) win 3072 urg 0
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.338: FP 
0:0(0) win 3072 urg 0
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.490: FP 
0:0(0) win 3072 urg 0
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.447: FP 
0:0(0) win 3072 urg 0
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.221: FP 
0:0(0) win 3072 urg 0
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.907: FP 
0:0(0) win 3072 urg 0
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.299: FP 
0:0(0) win 3072 urg 0
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
131.202.160.2.mobileip-agent: FP 0:0(0) win 3072 urg 0
23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 131.202.160.2.255: FP 
0:0(0) win 3072 urg 0
23:50:59.842961 eth0 < 131.202.160.2.386 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.842961 eth0 < 131.202.160.2.598 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.852961 eth0 < 131.202.160.2.https > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.852961 eth0 < 131.202.160.2.451 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.852961 eth0 < 131.202.160.2.364 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.852961 eth0 < 131.202.160.2.338 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.852961 eth0 < 131.202.160.2.490 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.852961 eth0 < 131.202.160.2.447 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.852961 eth0 < 131.202.160.2.221 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.862961 eth0 < 131.202.160.2.907 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.862961 eth0 < 131.202.160.2.299 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072
23:50:59.862961 eth0 < 131.202.160.2.mobileip-agent > 
socrates.whitelight.ca.57102: R 0:0(0) ack 1 win 3072
23:50:59.862961 eth0 < 131.202.160.2.255 > socrates.whitelight.ca.57102: R 
0:0(0) ack 1 win 3072




>===== Original Message From Peter Van Epp <vanepp at sfu.ca> =====
><snip>
>>
>> Scans that I could see include:
>>
>> RPC, TCP Connect, Syn, Ping, UDP
>> in nmap speak (-sR, -sT, -sS, -sP, -sU)
>>
>>
>>   Any ideas?
>>
>> Chris
>>
>>
>	A tcpdump of the nmap scan to see what packets argus is seeing would
>be my first suggestion (that would also let Carter reproduce the problem).
>If I get time I'll try and reproduce this.
>
>Peter Van Epp / Operations and Technical Support
>Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list