Bug in Argus 2.0.3??, and possibly others (not reporting on some traffic)

Carter Bullard carter at qosient.com
Sun Oct 14 23:02:11 EDT 2001 

So what happens when you:

   argus -r packet.file -w - | ra 

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Chris Newton
> Sent: Sunday, October 14, 2001 11:02 PM
> To: argus; Peter Van Epp
> Subject: RE: Bug in Argus 2.0.3??, and possibly others (not 
> reporting on some traffic)
> 
> 
> Here are a Xmas scan, and a Fyn scan.  Obviously, text isn't 
> the best manner 
> to relay the tcpdump files,.. but I thought I post this for now.
> 
> 
>   Here is what tcpdump saw, on the attacking machine, when 
> doing a -sF (FYN 
> scan):
> 
> [root at socrates ~]$ /usr/sbin/tcpdump -r test |more 
> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.2016: F 
> 0:0(0) win 2048
> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.1511: F 
> 0:0(0) win 2048
> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.cmip-agent: F 0:0(0) win 2048
> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.349: F 
> 0:0(0) win 2048
> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.omirr: F 
> 0:0(0) win 2048
> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.414: F 
> 0:0(0) win 2048
> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.1526: F 
> 0:0(0) win 2048
> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.1533: F 
> 0:0(0) win 2048
> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.285: F 
> 0:0(0) win 2048
> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.594: F 
> 0:0(0) win 2048
> 23:45:01.092961 eth0 < 131.202.160.2.2016 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.092961 eth0 < 131.202.160.2.1511 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.092961 eth0 < 131.202.160.2.cmip-agent > 
> socrates.whitelight.ca.43634: R 0:0(0) ack 1 win 2048 
> 23:45:01.092961 eth0 < 131.202.160.2.349 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.092961 eth0 < 131.202.160.2.omirr > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.102961 eth0 < 131.202.160.2.414 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.102961 eth0 < 131.202.160.2.1526 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.102961 eth0 < 131.202.160.2.1533 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.102961 eth0 < 131.202.160.2.285 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.102961 eth0 < 131.202.160.2.594 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.5300: F 
> 0:0(0) win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.phonebook: 
> F 0:0(0) win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.711: F 
> 0:0(0) win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.795: F 
> 0:0(0) win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.936: F 
> 0:0(0) win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.886: F 
> 0:0(0) win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.165: F 
> 0:0(0) win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.402: F 
> 0:0(0) win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.181: F 
> 0:0(0) win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.1401: F 
> 0:0(0) win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.1385: F 
> 0:0(0) win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.570: F 
> 0:0(0) win 2048
> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.183: F 
> 0:0(0) win 2048
> 23:45:01.112961 eth0 < 131.202.160.2.5300 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.122961 eth0 < 131.202.160.2.phonebook > 
> socrates.whitelight.ca.43634: 
> R 0:0(0) ack 1 win 2048
> 23:45:01.122961 eth0 < 131.202.160.2.711 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.122961 eth0 < 131.202.160.2.795 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.122961 eth0 < 131.202.160.2.936 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.122961 eth0 < 131.202.160.2.886 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.132961 eth0 < 131.202.160.2.165 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.132961 eth0 < 131.202.160.2.402 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.132961 eth0 < 131.202.160.2.181 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.132961 eth0 < 131.202.160.2.1401 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.132961 eth0 < 131.202.160.2.1385 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.132961 eth0 < 131.202.160.2.570 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.132961 eth0 < 131.202.160.2.183 > 
> socrates.whitelight.ca.43634: R 
> 0:0(0) ack 1 win 2048
> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.987: F 
> 0:0(0) win 2048
> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.8009: F 
> 0:0(0) win 2048
> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.981: F 
> 0:0(0) win 2048
> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.ldaps: F 
> 0:0(0) win 2048
> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.305: F 
> 0:0(0) win 2048
> 23:45:01.142961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.856: F 
> 0:0(0) win 2048
> 23:45:01.142961 eth0 > socrates.whitelight.ca.43634 > 
> 131.202.160.2.294: F 
> 0:0(0) win 2048
> .... clipped
> 
> 
> here is stuff from a -sX (christmas tree scan (all flags):
> 
> [root at socrates ~]$ /usr/sbin/tcpdump -r test | more 
> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.daytime: 
> FP 0:0(0) win 3072 urg 0
> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.1453: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.198: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.642: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.6142: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.at-rtmp: 
> FP 0:0(0) win 3072 urg 0
> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.147: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.1487: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.1446: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.745: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.812961 eth0 < 131.202.160.2.daytime > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.822961 eth0 < 131.202.160.2.1453 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.822961 eth0 < 131.202.160.2.198 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.822961 eth0 < 131.202.160.2.642 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.822961 eth0 < 131.202.160.2.6142 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.822961 eth0 < 131.202.160.2.at-rtmp > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.822961 eth0 < 131.202.160.2.147 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.832961 eth0 < 131.202.160.2.1487 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.832961 eth0 < 131.202.160.2.1446 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.832961 eth0 < 131.202.160.2.745 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.386: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.598: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.https: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.451: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.364: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.338: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.490: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.447: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.221: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.907: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.299: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.mobileip-agent: FP 0:0(0) win 3072 urg 0 
> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 > 
> 131.202.160.2.255: FP 
> 0:0(0) win 3072 urg 0
> 23:50:59.842961 eth0 < 131.202.160.2.386 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.842961 eth0 < 131.202.160.2.598 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.852961 eth0 < 131.202.160.2.https > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.852961 eth0 < 131.202.160.2.451 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.852961 eth0 < 131.202.160.2.364 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.852961 eth0 < 131.202.160.2.338 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.852961 eth0 < 131.202.160.2.490 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.852961 eth0 < 131.202.160.2.447 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.852961 eth0 < 131.202.160.2.221 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.862961 eth0 < 131.202.160.2.907 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.862961 eth0 < 131.202.160.2.299 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 23:50:59.862961 eth0 < 131.202.160.2.mobileip-agent > 
> socrates.whitelight.ca.57102: R 0:0(0) ack 1 win 3072 
> 23:50:59.862961 eth0 < 131.202.160.2.255 > 
> socrates.whitelight.ca.57102: R 
> 0:0(0) ack 1 win 3072
> 
> 
> 
> 
> >===== Original Message From Peter Van Epp <vanepp at sfu.ca> 
> ===== <snip>
> >>
> >> Scans that I could see include:
> >>
> >> RPC, TCP Connect, Syn, Ping, UDP
> >> in nmap speak (-sR, -sT, -sS, -sP, -sU)
> >>
> >>
> >>   Any ideas?
> >>
> >> Chris
> >>
> >>
> >	A tcpdump of the nmap scan to see what packets argus is 
> seeing would 
> >be my first suggestion (that would also let Carter reproduce the 
> >problem). If I get time I'll try and reproduce this.
> >
> >Peter Van Epp / Operations and Technical Support
> >Simon Fraser University, Burnaby, B.C. Canada
> 
>

More information about the argus mailing list