Bug in Argus 2.0.3??, and possibly others (not reporting on some traffic)
Chris Newton
newton at unb.ca
Thu Oct 18 09:24:25 EDT 2001
Ok folks. After some testing and goofing around, it appears that the dumb
little nortel switch we have, isn't passing all the packets it sees on the
ports we are mirroring to the monitor port. We even tried Sniffer, it
couldn't see those scans. Sorry for the false alarm :(
Chris
>===== Original Message From <carter at qosient.com> =====
>Actually on different machines, but the same link would be
>ideal, but the same machine will definitely work.
>
>Carter
>
>Carter Bullard
>QoSient, LLC
>300 E. 56th Street, Suite 18K
>New York, New York 10022
>
>carter at qosient.com
>Phone +1 212 588-9133
>Fax +1 212 588-9134
>http://qosient.com
>
>> -----Original Message-----
>> From: owner-argus-info at lists.andrew.cmu.edu
>> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
>> Chris Newton
>> Sent: Monday, October 15, 2001 7:57 AM
>> To: carter at qosient.com; argus; Peter Van Epp
>> Subject: RE: Bug in Argus 2.0.3??, and possibly others (not
>> reporting on some traffic)
>>
>>
>> I hear ya there. Though, we only have one connection to the
>> internet, and the
>> other scans do show up. Later today I will try and get some
>> information for
>> you. What you need me to do is run a tcpdump on the same
>> machine as Argus,
>> right?
>>
>> Chris
>>
>> >===== Original Message From <carter at qosient.com> =====
>> >Well, there could still be a bug. The only way to catch
>> >it, is to be capturing packets while argus is producing
>> >the unexpected results, and then demonstrate that the
>> >captured packet file contains the actual data expected.
>> >This is the only way that we can be sure that the argus
>> >is mishandling packets, rather than the network pushing
>> >the packets somewhere unexpected.
>> >
>> >Carter
>> >
>> >Carter Bullard
>> >QoSient, LLC
>> >300 E. 56th Street, Suite 18K
>> >New York, New York 10022
>> >
>> >carter at qosient.com
>> >Phone +1 212 588-9133
>> >Fax +1 212 588-9134
>> >http://qosient.com
>> >
>> >> -----Original Message-----
>> >> From: Chris Newton [mailto:newton at unb.ca]
>> >> Sent: Sunday, October 14, 2001 11:28 PM
>> >> To: carter at qosient.com; argus; Peter Van Epp
>> >> Subject: RE: Bug in Argus 2.0.3??, and possibly others (not
>> >> reporting on some traffic)
>> >>
>> >>
>> >> Ok, I'm way confused... I get out that I would expect. How
>> >> could that
>> >> happen? I tracerouted the connection from the remote one to
>> >> campus network,
>> >> it does certainly go past where argus is monitoring.
>> >>
>> >> I even ran this with the same command line options that I
>> >> have the server
>> >> running as:
>> >>
>> >> /usr/local/argus-2.0.3/bin/argus_linux -S 30 -M 30 -F
>> >> /usr/local/conf/argus.conf -r test23 -w - |
>> >> /usr/local/argus-2.0.3/bin/ra
>> >> |more
>> >>
>> >>
>> >>
>> >> 15 Oct 01 00:15:52 man version=2.0 probeid=phantom.csd.unb
>> >> STA
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.929 RST
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.811 RST
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.410 RST
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.1016 RST
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.260 RST
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.7010 RST
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.775 RST
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.316 RST
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.230 RST
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.150 RST
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.1472 RST
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.428 RST
>> >> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> >> 131.202.160.2.575 RST
>> >>
>> >>
>> >> >===== Original Message From <carter at qosient.com> =====
>> >> >So what happens when you:
>> >> >
>> >> > argus -r packet.file -w - | ra
>> >> >
>> >> >Carter
>> >> >
>> >> >Carter Bullard
>> >> >QoSient, LLC
>> >> >300 E. 56th Street, Suite 18K
>> >> >New York, New York 10022
>> >> >
>> >> >carter at qosient.com
>> >> >Phone +1 212 588-9133
>> >> >Fax +1 212 588-9134
>> >> >http://qosient.com
>> >> >
>> >> >> -----Original Message-----
>> >> >> From: owner-argus-info at lists.andrew.cmu.edu
>> >> >> [mailto:owner-argus-info at lists.andrew.cmu.edu] On
>> Behalf Of Chris
>> >> >> Newton
>> >> >> Sent: Sunday, October 14, 2001 11:02 PM
>> >> >> To: argus; Peter Van Epp
>> >> >> Subject: RE: Bug in Argus 2.0.3??, and possibly others
>> >> (not reporting
>> >> >> on some traffic)
>> >> >>
>> >> >>
>> >> >> Here are a Xmas scan, and a Fyn scan. Obviously, text
>> >> isn't the best
>> >> >> manner to relay the tcpdump files,.. but I thought I
>> post this for
>> >> >> now.
>> >> >>
>> >> >>
>> >> >> Here is what tcpdump saw, on the attacking machine,
>> when doing a
>> >> >> -sF (FYN
>> >> >> scan):
>> >> >>
>> >> >> [root at socrates ~]$ /usr/sbin/tcpdump -r test |more
>> 23:45:01.082961
>> >> >> eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.2016: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.1511: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.cmip-agent: F 0:0(0) win 2048
>> >> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.349: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.omirr: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.414: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.1526: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.1533: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.285: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.594: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.092961 eth0 < 131.202.160.2.2016 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.092961 eth0 < 131.202.160.2.1511 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.092961 eth0 < 131.202.160.2.cmip-agent >
>> >> >> socrates.whitelight.ca.43634: R 0:0(0) ack 1 win 2048
>> >> 23:45:01.092961
>> >> >> eth0 < 131.202.160.2.349 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.092961 eth0 < 131.202.160.2.omirr >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.102961 eth0 < 131.202.160.2.414 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.102961 eth0 < 131.202.160.2.1526 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.102961 eth0 < 131.202.160.2.1533 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.102961 eth0 < 131.202.160.2.285 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.102961 eth0 < 131.202.160.2.594 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.5300: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.phonebook:
>> >> >> F 0:0(0) win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.711: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.795: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.936: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.886: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.165: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.402: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.181: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.1401: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.1385: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.570: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.183: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.112961 eth0 < 131.202.160.2.5300 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.122961 eth0 < 131.202.160.2.phonebook >
>> >> >> socrates.whitelight.ca.43634:
>> >> >> R 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.122961 eth0 < 131.202.160.2.711 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.122961 eth0 < 131.202.160.2.795 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.122961 eth0 < 131.202.160.2.936 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.122961 eth0 < 131.202.160.2.886 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.132961 eth0 < 131.202.160.2.165 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.132961 eth0 < 131.202.160.2.402 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.132961 eth0 < 131.202.160.2.181 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.132961 eth0 < 131.202.160.2.1401 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.132961 eth0 < 131.202.160.2.1385 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.132961 eth0 < 131.202.160.2.570 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.132961 eth0 < 131.202.160.2.183 >
>> >> >> socrates.whitelight.ca.43634: R
>> >> >> 0:0(0) ack 1 win 2048
>> >> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.987: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.8009: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.981: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.ldaps: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.305: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.142961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.856: F
>> >> >> 0:0(0) win 2048
>> >> >> 23:45:01.142961 eth0 > socrates.whitelight.ca.43634 >
>> >> >> 131.202.160.2.294: F
>> >> >> 0:0(0) win 2048
>> >> >> .... clipped
>> >> >>
>> >> >>
>> >> >> here is stuff from a -sX (christmas tree scan (all flags):
>> >> >>
>> >> >> [root at socrates ~]$ /usr/sbin/tcpdump -r test | more
>> >> 23:50:59.802961
>> >> >> eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.daytime:
>> >> >> FP 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.1453: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.198: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.642: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.6142: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.at-rtmp:
>> >> >> FP 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.147: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.1487: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.1446: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.745: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.812961 eth0 < 131.202.160.2.daytime >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.822961 eth0 < 131.202.160.2.1453 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.822961 eth0 < 131.202.160.2.198 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.822961 eth0 < 131.202.160.2.642 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.822961 eth0 < 131.202.160.2.6142 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.822961 eth0 < 131.202.160.2.at-rtmp >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.822961 eth0 < 131.202.160.2.147 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.832961 eth0 < 131.202.160.2.1487 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.832961 eth0 < 131.202.160.2.1446 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.832961 eth0 < 131.202.160.2.745 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.386: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.598: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.https: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.451: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.364: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.338: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.490: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.447: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.221: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.907: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.299: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.mobileip-agent: FP 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> >> 131.202.160.2.255: FP
>> >> >> 0:0(0) win 3072 urg 0
>> >> >> 23:50:59.842961 eth0 < 131.202.160.2.386 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.842961 eth0 < 131.202.160.2.598 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.852961 eth0 < 131.202.160.2.https >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.852961 eth0 < 131.202.160.2.451 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.852961 eth0 < 131.202.160.2.364 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.852961 eth0 < 131.202.160.2.338 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.852961 eth0 < 131.202.160.2.490 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.852961 eth0 < 131.202.160.2.447 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.852961 eth0 < 131.202.160.2.221 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.862961 eth0 < 131.202.160.2.907 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.862961 eth0 < 131.202.160.2.299 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >> 23:50:59.862961 eth0 < 131.202.160.2.mobileip-agent >
>> >> >> socrates.whitelight.ca.57102: R 0:0(0) ack 1 win 3072
>> >> 23:50:59.862961
>> >> >> eth0 < 131.202.160.2.255 >
>> >> >> socrates.whitelight.ca.57102: R
>> >> >> 0:0(0) ack 1 win 3072
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> >===== Original Message From Peter Van Epp <vanepp at sfu.ca>
>> >> >> ===== <snip>
>> >> >> >>
>> >> >> >> Scans that I could see include:
>> >> >> >>
>> >> >> >> RPC, TCP Connect, Syn, Ping, UDP
>> >> >> >> in nmap speak (-sR, -sT, -sS, -sP, -sU)
>> >> >> >>
>> >> >> >>
>> >> >> >> Any ideas?
>> >> >> >>
>> >> >> >> Chris
>> >> >> >>
>> >> >> >>
>> >> >> > A tcpdump of the nmap scan to see what packets argus is
>> >> >> seeing would
>> >> >> >be my first suggestion (that would also let Carter
>> reproduce the
>> >> >> >problem). If I get time I'll try and reproduce this.
>> >> >> >
>> >> >> >Peter Van Epp / Operations and Technical Support
>> >> >> >Simon Fraser University, Burnaby, B.C. Canada
>> >> >>
>> >> >>
>> >>
>> >>
>>
>>
More information about the argus
mailing list