Using tcpdump input
Peter Van Epp
vanepp at sfu.ca
Mon Mar 31 00:14:07 EST 2003
Andrew's post motivated me to check the counts sooner rather than
later, and he appears to be correct there is a bug or bugs. Some packets
aren't being counted correctly and the summary looks high to me. A slightly
rearranged comparison between tcpdump and ra (using argus-2.0.6.beta.8
on FreeBSD):
tcpdump (tcpdump -r test.tcpd -n -e rearranged so all flows are together and
numbered 1) to 9) ):
1)
15:14:20.477823 0:1:f4:6:98:40 0:e0:63:38:73:50 0800 74: 142.58.108.10.3593 > 142.58.109.129.9100: S 1037685688:1037685688(0) win 6144 <mss 1460,nop,wscale 0,nop,nop,timestamp 2235296 0> (DF)
15:14:20.477853 0:e0:63:38:73:50 0:1:e6:5b:4:bd 0800 74: 142.58.108.10.3593 > 142.58.109.129.9100: S 1037685688:1037685688(0) win 6144 <mss 1460,nop,wscale 0,nop,nop,timestamp 2235296 0> (DF)
2)
15:14:21.478628 0:1:f4:6:98:40 0:e0:63:38:73:50 0800 74: 142.58.108.10.3595 > 142.58.109.128.9100: S 891433938:891433938(0) win 6144 <mss 1460,nop,wscale 0,nop,nop,timestamp 2235298 0> (DF)
15:14:21.478660 0:e0:63:38:73:50 8:0:9:9b:28:27 0800 74: 142.58.108.10.3595 > 142.58.109.128.9100: S 891433938:891433938(0) win 6144 <mss 1460,nop,wscale 0,nop,nop,timestamp 2235298 0> (DF)
15:14:33.497140 0:1:f4:6:98:40 0:e0:63:38:73:50 0800 74: 142.58.108.10.3595 > 142.58.109.128.9100: S 891433938:891433938(0) win 6144 <mss 1460,nop,wscale 0,nop,nop,timestamp 2235322 0> (DF)
15:14:33.497171 0:e0:63:38:73:50 8:0:9:9b:28:27 0800 74: 142.58.108.10.3595 > 142.58.109.128.9100: S 891433938:891433938(0) win 6144 <mss 1460,nop,wscale 0,nop,nop,timestamp 2235322 0> (DF)
3)
15:14:21.761152 0:2:55:8c:17:e9 1:0:5e:37:96:d0 0800 163: 142.58.109.66.1346 > 229.55.150.208.1345: udp 121
4)
15:14:22.023100 0:1:f4:6:98:40 0:e0:63:38:73:50 0800 62: 142.58.200.67 > 142.58.109.10: icmp: echo request (DF)
15:14:22.023231 0:1:f4:6:98:40 0:5:2:31:4c:2d 0800 62: 142.58.109.10 > 142.58.200.67: icmp: echo reply (DF)
5)
15:14:24.716709 0:2:55:8c:1a:41 1:0:5e:37:96:d0 0800 163: 142.58.109.71.1346 > 229.55.150.208.1345: udp 121
6)
15:14:25.988962 0:1:e6:5b:4:bd 0:e0:63:38:73:50 0800 62: 142.58.109.129.9100 > 142.58.108.10.3587: S 32301501:32301501(0) ack 393763605 win 11680 <mss 1460,nop,wscale 0>
7)
15:14:25.988972 0:e0:63:38:73:50 0:1:e6:5b:4:bd 0800 70: 142.58.109.254 > 142.58.109.129: icmp: net 142.58.108.10 unreachable
8)
15:14:32.324825 0:3:47:de:ec:c0 0:e0:18:69:72:82 0800 60: 142.58.109.18.139 > 142.58.109.110.3282: . 521147083:521147084(1) ack 3813546656 win 62987
>>> NBT Packet
flags=0x2
NBT - Unknown packet type
Type=0x2000000
15:14:32.324836 0:e0:18:69:72:82 0:3:47:de:ec:c0 0800 60: 142.58.109.110.3282 > 142.58.109.18.139: . ack 1 win 16948 (DF)
9)
15:14:32.324845 0:e0:18:69:72:82 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 142.58.109.18 tell 142.58.109.110
15:14:32.324896 0:3:47:de:ec:c0 0:e0:18:69:72:82 0806 60: arp reply 142.58.109.18 is-at 0:3:47:de:ec:c0
ra -r test -c -n (where test was created by argus_bpf -r test.tcpd -w test
and numbered to match the tcpdump numbers from 1) to 9). Note the counts
for 8) are incorrect from ra as is the summary byte number (I get only
1246 bytes with the corrected count not 1266 unless I have mis calculated):
30 Mar 03 19:43:38 man version=2.0 probeid=3848370891 STA
2)
08 Mar 03 15:14:21 tcp 142.58.108.10.3595 -> 142.58.109.128.9100 4 0 296 0 REQ
5)
08 Mar 03 15:14:24 udp 142.58.109.71.1346 -> 229.55.150.208.1345 1 0 163 0 INT
4)
08 Mar 03 15:14:22 icmp 142.58.200.67 <-> 142.58.109.10 1 1 62 62 ECO
8) **** Counts wrong! *** should be 60 and 60
08 Mar 03 15:14:32 tcp 142.58.109.18.139 ?> 142.58.109.110.3282 1 1 55 54 EST
9)
08 Mar 03 15:14:32 arp 142.58.109.110 who-has 142.58.109.18 1 1 60 60 ACC
3)
08 Mar 03 15:14:21 udp 142.58.109.66.1346 -> 229.55.150.208.1345 1 0 163 0 INT
1)
08 Mar 03 15:14:20 tcp 142.58.108.10.3593 -> 142.58.109.129.9100 2 0 148 0 REQ
6)
08 Mar 03 15:14:25 tcp 142.58.108.10.3587 <- 142.58.109.129.9100 0 1 0 62 ACC
7)
08 Mar 03 15:14:25 icmp 142.58.109.254 -> 142.58.109.129 1 0 70 0 URN
30 Mar 03 19:43:38 man pkts 16 bytes 1266 drops 0 flows 0 closed 9 SHT
and finally the test file (uuencoded)
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
begin 644 test.tcpd
MU,.RH0(`!````````````&`````!````3'EJ/G]*!P!*````2@````#@8SAS
M4``!]`:80`@`10``/%790``_!N_BCCIL"HXZ;8$."2.,/=G3N`````"@`A@`
MWAX```($!;0!`P,``0$("@`B&Z``````3'EJ/IU*!P!*````2@`````!YEL$
MO0#@8SAS4`@`10``/%790``^!O#BCCIL"HXZ;8$."2.,/=G3N`````"@`A@`
MWAX```($!;0!`P,``0$("@`B&Z``````37EJ/J1-!P!*````2@````#@8SAS
M4``!]`:80`@`10``/%7:0``_!N_BCCIL"HXZ;8`."R.,-2(ST@````"@`A@`
MAKD```($!;0!`P,``0$("@`B&Z(`````37EJ/L1-!P!*````2@````@`"9LH
M)P#@8SAS4`@`10``/%7:0``^!O#BCCIL"HXZ;8`."R.,-2(ST@````"@`A@`
MAKD```($!;0!`P,``0$("@`B&Z(`````37EJ/D"="P!@````HP````$`7C>6
MT``"58P7Z0@`10``E?87```*$4*\CCIM0N4WEM`%0 at 5!`('?D20"`@D!,P9,
M;V-A=&4B`0`D`@()`C,'4')O9'5C=`P")`(""0,S!4=H;W-T#`,D`@()!#,)
M0TYY:CX\6@``/@```#X`````X&,X<U```?0&F$`(`$4``#"0'$``_@&:[8XZ
MR$...FT*"`"+#^802X)I32%R\?'Q\0```!,JX%E^)"0D)$YY:CZ_6@``/@``
M`#X`````!0(Q3"T``?0&F$`(`$4``#"9.$``?@$1THXZ;0J..LA#``"3#^80
M2X)I32%R\?'Q\0```!,JX%E^)"0D)%!Y:CZE[PH`8````*,````!`%XWEM``
M`E6,&D$(`$4``)6+O@``"A&M$(XZ;4?E-Y;0!4(%00"!WXPD`@()`3,&3&]C
M871E(@$`)`(""0(S!U!R;V1U8W0,`B0"`@D#,P5':&]S=`P#)`(""00S"4-1
M>6H^(A</`#X````^`````.!C.'-0``'F6P2]"`!%```P?_8``$`&!-*..FV!
MCCIL"B.,#@,![.&]%WA;%7`2+:#8J````@0%M`$#`P!1>6H^+!</`$8```!&
M``````'F6P2]`.!C.'-0"`!%```X.D@``/\!B8B..FW^CCIM at 0,`Z,8`````
M10``,'_V```_!@32CCIM at 8XZ;`HCC`X#`>SAO5AY:C[9]`0`/````#P`````
MX!AI<H(``T?>[,`(`$4``"EZK0``@`;)+(XZ;1*..FUN`(L,TA\0$LOC3AJ@
M4!#V"X.K```"``````!8>6H^Y/0$`#P````\``````-'WNS``.`8:7*""`!%
M```H@!)``(`&@\B..FUNCCIM$@S2`(OC3AJ@'Q`2S%`00C0Y at P``________
M6'EJ/NWT!``\````/````/_______P#@&&ER@@@&``$(``8$``$`X!AI<H*.
M.FUN````````CCIM$O_______________________UAY:CX@]00`/````#P`
M````X!AI<H(``T?>[,`(!@`!"``&!``"``-'WNS`CCIM$@#@&&ER at HXZ;6X`
M``````````````````````!9>6H^])4'`$H```!*`````.!C.'-0``'T!IA`
M"`!%```\5>!``#\&[]R..FP*CCIM@`X+(XPU(C/2`````*`"&`"&H0```@0%
MM`$#`P`!`0@*`"(;N@````!9>6H^$Y8'`$H```!*````"``)FR at G`.!C.'-0
M"`!%```\5>!``#X&\-R..FP*CCIM@`X+(XPU(C/2`````*`"&`"&H0```@0%
1M`$#`P`!`0@*`"(;N@`````*
`
end
More information about the argus
mailing list