Examine the correctness of filter

carter at qosient.com carter at qosient.com
Tue Dec 12 08:16:17 EST 2006 

Hey CS,
The second statement is " and immediate 31 " but it looks like it should be " and immediate 3 ", instead.  

Are you having problems?

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: "CS Lee" <geek00l at gmail.com>
Date: Tue, 12 Dec 2006 19:07:40 
To:"Carter Bullard" <carter at qosient.com>
Cc:Argus <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Examine the correctness of filter

Carter,
 
  ra -b - tcp
 (000) ldb      [142]
 (001) and      #31
 (002) jeq      #0x1             jt 3    jf 5
 (003) ldb      [152]
 (004) jeq      #0x6             jt 8    jf 9
 (005) jeq      #0x2             jt 6    jf 9
 (006) ldb      [179]
 (007) jeq      #0x6             jt 8    jf 9
 (008) ret      #96
 (009) ret      #0

 It looks to me that it loads one-byte quantity at an offset of 142.
 
 001 - Get to 31st byte
 002 - Compare and see whether it is 0x1, if it is, that's IPv4(quantifier) and jump to instruction 003, if it is not, jump to instruction 005.
 003 - Load one-byte quantity at an offset of 152
 004 - Compare and check if it is 0x6(trans proto is tcp for ip), if it is then jump to instruction 008, if it is not then jump to instruction 009
 005 - Compare and check if it is 0x2 which is IPv6(quantifier) and jump to instruction 006 or if it is not then jump to instruction 009
 006 - Load one-byte quantity at an offset of 179
 007 - Compare and check if it is 0x6(trans proto is tcp for ipv6), if it is then jump to 008 or else jump to 009.
 008 - Return 96 bytes
 009 - Return nothing
 
 Carter, correct me if i'm wrong as I'm not fully understand all the diagram in argus_def.h file yet. Thanks.
 
 

On 12/12/06, Carter Bullard <carter at qosient.com: <mailto:carter at qosient.com> > wrote: 
Hey CS,
Sorry I didn't respond.
The Argus record is defined in ./include/argus_out.h and ./include/argus_def.h.
Carter
 







On Dec 3, 2006, at 8:17 PM, CS Lee wrote:
Hey people,
 
 While reading ra -b output, I come across this -
 
 ra -b - tcp
 (000) ldb      [142] 
 (001) and      #31
 (002) jeq      #0x1             jt 3    jf 5
 (003) ldb      [152]
 (004) jeq      #0x6             jt 8    jf 9
 (005) jeq      #0x2             jt 6    jf 9
 (006) ldb      [179]
 (007) jeq      #0x6             jt 8    jf 9
 (008) ret      #96
 (009) ret      #0
 
 While this seems not so complicated, however is there any reference of argus data format that I can refer such as the one shown in tcpdump -d which the correctness of filter can be confirmed by looking at the packet headers.
 
 Thanks.

-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>

 
 


-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>

More information about the argus mailing list