Bug in Argus 2.0.3??, and possibly others (not reporting on some traffic)

Carter Bullard carter at qosient.com
Mon Oct 15 07:25:48 EDT 2001 

Well, there could still be a bug.  The only way to catch
it, is to be capturing packets while argus is producing
the unexpected results, and then demonstrate that the
captured packet file contains the actual data expected.
This is the only way that we can be sure that the argus
is mishandling packets, rather than the network pushing
the packets somewhere unexpected.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: Chris Newton [mailto:newton at unb.ca] 
> Sent: Sunday, October 14, 2001 11:28 PM
> To: carter at qosient.com; argus; Peter Van Epp
> Subject: RE: Bug in Argus 2.0.3??, and possibly others (not 
> reporting on some traffic)
> 
> 
> Ok, I'm way confused...  I get out that I would expect.  How 
> could that 
> happen?  I tracerouted the connection from the remote one to 
> campus network, 
> it does certainly go past where argus is monitoring.
> 
>   I even ran this with the same command line options that I 
> have the server 
> running as:
> 
> /usr/local/argus-2.0.3/bin/argus_linux -S 30 -M 30 -F 
> /usr/local/conf/argus.conf -r test23 -w - | 
> /usr/local/argus-2.0.3/bin/ra 
> |more
> 
> 
> 
> 15 Oct 01 00:15:52    man version=2.0     probeid=phantom.csd.unb
>            STA
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.929          RST
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.811          RST
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.410          RST
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.1016         RST
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.260          RST
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.7010         RST
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.775          RST
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.316          RST
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.230          RST
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.150          RST
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.1472         RST
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.428          RST
> 14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
> 131.202.160.2.575          RST
> 
> 
> >===== Original Message From <carter at qosient.com> =====
> >So what happens when you:
> >
> >   argus -r packet.file -w - | ra
> >
> >Carter
> >
> >Carter Bullard
> >QoSient, LLC
> >300 E. 56th Street, Suite 18K
> >New York, New York  10022
> >
> >carter at qosient.com
> >Phone +1 212 588-9133
> >Fax   +1 212 588-9134
> >http://qosient.com
> >
> >> -----Original Message-----
> >> From: owner-argus-info at lists.andrew.cmu.edu
> >> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Chris 
> >> Newton
> >> Sent: Sunday, October 14, 2001 11:02 PM
> >> To: argus; Peter Van Epp
> >> Subject: RE: Bug in Argus 2.0.3??, and possibly others 
> (not reporting 
> >> on some traffic)
> >>
> >>
> >> Here are a Xmas scan, and a Fyn scan.  Obviously, text 
> isn't the best 
> >> manner to relay the tcpdump files,.. but I thought I post this for 
> >> now.
> >>
> >>
> >>   Here is what tcpdump saw, on the attacking machine, when doing a 
> >> -sF (FYN
> >> scan):
> >>
> >> [root at socrates ~]$ /usr/sbin/tcpdump -r test |more 23:45:01.082961 
> >> eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.2016: F
> >> 0:0(0) win 2048
> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.1511: F
> >> 0:0(0) win 2048
> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.cmip-agent: F 0:0(0) win 2048
> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.349: F
> >> 0:0(0) win 2048
> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.omirr: F
> >> 0:0(0) win 2048
> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.414: F
> >> 0:0(0) win 2048
> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.1526: F
> >> 0:0(0) win 2048
> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.1533: F
> >> 0:0(0) win 2048
> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.285: F
> >> 0:0(0) win 2048
> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.594: F
> >> 0:0(0) win 2048
> >> 23:45:01.092961 eth0 < 131.202.160.2.2016 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.092961 eth0 < 131.202.160.2.1511 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.092961 eth0 < 131.202.160.2.cmip-agent >
> >> socrates.whitelight.ca.43634: R 0:0(0) ack 1 win 2048 
> 23:45:01.092961 
> >> eth0 < 131.202.160.2.349 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.092961 eth0 < 131.202.160.2.omirr >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.102961 eth0 < 131.202.160.2.414 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.102961 eth0 < 131.202.160.2.1526 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.102961 eth0 < 131.202.160.2.1533 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.102961 eth0 < 131.202.160.2.285 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.102961 eth0 < 131.202.160.2.594 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.5300: F
> >> 0:0(0) win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.phonebook:
> >> F 0:0(0) win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.711: F
> >> 0:0(0) win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.795: F
> >> 0:0(0) win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.936: F
> >> 0:0(0) win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.886: F
> >> 0:0(0) win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.165: F
> >> 0:0(0) win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.402: F
> >> 0:0(0) win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.181: F
> >> 0:0(0) win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.1401: F
> >> 0:0(0) win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.1385: F
> >> 0:0(0) win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.570: F
> >> 0:0(0) win 2048
> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.183: F
> >> 0:0(0) win 2048
> >> 23:45:01.112961 eth0 < 131.202.160.2.5300 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.122961 eth0 < 131.202.160.2.phonebook >
> >> socrates.whitelight.ca.43634:
> >> R 0:0(0) ack 1 win 2048
> >> 23:45:01.122961 eth0 < 131.202.160.2.711 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.122961 eth0 < 131.202.160.2.795 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.122961 eth0 < 131.202.160.2.936 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.122961 eth0 < 131.202.160.2.886 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.132961 eth0 < 131.202.160.2.165 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.132961 eth0 < 131.202.160.2.402 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.132961 eth0 < 131.202.160.2.181 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.132961 eth0 < 131.202.160.2.1401 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.132961 eth0 < 131.202.160.2.1385 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.132961 eth0 < 131.202.160.2.570 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.132961 eth0 < 131.202.160.2.183 >
> >> socrates.whitelight.ca.43634: R
> >> 0:0(0) ack 1 win 2048
> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.987: F
> >> 0:0(0) win 2048
> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.8009: F
> >> 0:0(0) win 2048
> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.981: F
> >> 0:0(0) win 2048
> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.ldaps: F
> >> 0:0(0) win 2048
> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.305: F
> >> 0:0(0) win 2048
> >> 23:45:01.142961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.856: F
> >> 0:0(0) win 2048
> >> 23:45:01.142961 eth0 > socrates.whitelight.ca.43634 >
> >> 131.202.160.2.294: F
> >> 0:0(0) win 2048
> >> .... clipped
> >>
> >>
> >> here is stuff from a -sX (christmas tree scan (all flags):
> >>
> >> [root at socrates ~]$ /usr/sbin/tcpdump -r test | more 
> 23:50:59.802961 
> >> eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.daytime:
> >> FP 0:0(0) win 3072 urg 0
> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.1453: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.198: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.642: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.6142: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.at-rtmp:
> >> FP 0:0(0) win 3072 urg 0
> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.147: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.1487: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.1446: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.745: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.812961 eth0 < 131.202.160.2.daytime >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.822961 eth0 < 131.202.160.2.1453 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.822961 eth0 < 131.202.160.2.198 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.822961 eth0 < 131.202.160.2.642 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.822961 eth0 < 131.202.160.2.6142 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.822961 eth0 < 131.202.160.2.at-rtmp >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.822961 eth0 < 131.202.160.2.147 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.832961 eth0 < 131.202.160.2.1487 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.832961 eth0 < 131.202.160.2.1446 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.832961 eth0 < 131.202.160.2.745 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.386: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.598: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.https: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.451: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.364: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.338: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.490: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.447: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.221: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.907: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.299: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.mobileip-agent: FP 0:0(0) win 3072 urg 0 
> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
> >> 131.202.160.2.255: FP
> >> 0:0(0) win 3072 urg 0
> >> 23:50:59.842961 eth0 < 131.202.160.2.386 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.842961 eth0 < 131.202.160.2.598 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.852961 eth0 < 131.202.160.2.https >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.852961 eth0 < 131.202.160.2.451 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.852961 eth0 < 131.202.160.2.364 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.852961 eth0 < 131.202.160.2.338 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.852961 eth0 < 131.202.160.2.490 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.852961 eth0 < 131.202.160.2.447 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.852961 eth0 < 131.202.160.2.221 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.862961 eth0 < 131.202.160.2.907 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.862961 eth0 < 131.202.160.2.299 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >> 23:50:59.862961 eth0 < 131.202.160.2.mobileip-agent >
> >> socrates.whitelight.ca.57102: R 0:0(0) ack 1 win 3072 
> 23:50:59.862961 
> >> eth0 < 131.202.160.2.255 >
> >> socrates.whitelight.ca.57102: R
> >> 0:0(0) ack 1 win 3072
> >>
> >>
> >>
> >>
> >> >===== Original Message From Peter Van Epp <vanepp at sfu.ca>
> >> ===== <snip>
> >> >>
> >> >> Scans that I could see include:
> >> >>
> >> >> RPC, TCP Connect, Syn, Ping, UDP
> >> >> in nmap speak (-sR, -sT, -sS, -sP, -sU)
> >> >>
> >> >>
> >> >>   Any ideas?
> >> >>
> >> >> Chris
> >> >>
> >> >>
> >> >	A tcpdump of the nmap scan to see what packets argus is
> >> seeing would
> >> >be my first suggestion (that would also let Carter reproduce the 
> >> >problem). If I get time I'll try and reproduce this.
> >> >
> >> >Peter Van Epp / Operations and Technical Support
> >> >Simon Fraser University, Burnaby, B.C. Canada
> >>
> >>
> 
>

More information about the argus mailing list