A IPV6 triple

carter at qosient.com carter at qosient.com
Fri Jul 28 06:01:42 EDT 2006 

I'll try to get these fixed on Monday.
Thanks!!!!!
Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: Peter Van Epp <vanepp at sfu.ca>
Date: Wed, 26 Jul 2006 18:37:17 
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] A IPV6 triple

	Looks to be a few problems here too (again tcpdump file attached):
V3 doesn't appear to be providing Macs, I suspect the "udp" wants to be 
"ipv6-udp", the v2 to v3 conversion isn't getting the ethertype correctly,
and aggregation appears different (which may be a bug or working as designed
:-)) since the pure V3 stream at the end has different packets than the first
2 (which are from the v2.0.6 file) and a much different duration which would
seem to point to different aggregation stratigies. I'm not sure if v6 has an
ipid, but the 0 at the end is a bit suspicious :-). The source address seems 
convoluted enough for v6 but the dest address of ff02::fb (unless this is 
shorthand for the v6 broadcast address which it may be) seems a little short.

%./ra_test.pl vs62.argus vs63.argus | more
sport 0 * 5353
dport 0 * 5353
srate 1298.16 1298.164 4166.856
smac 0:11:24:73:73:f8 0:11:24:73:73:f8
dmac 33:33:0:0:0:fb 33:33:0:0:0:fb

line: 1 fields in error: smac,srate,sbytes,dport,sabytes,seq,proto,end,daddr,stt
l,dmac,dur,spkts,saddr,sport,stos,
1151432429.567597,1151432449.583555,1,20.015958,20.015958,0:11:24:73:73:f8,33:33
:0:0:0:fb,ipv6,0,0,,,,,3248,0,3050,0,11,0,1298.16,0.00,0.55,0.00,0.0000,0.0000,3
848370891,q,0:11:24:73:73:f8,33:33:0:0:0:fb,->,,,INT,,,,,3,,,0x8200,,
1151432429.567597,1151432449.583555,1,20.015958,20.015959,0:11:24:73:73:f8,33:33
:0:0:0:fb,well,*,*,,,,,3248,0,3050,0,11,0,1298.164,0.000,0.550,0.000,0,0,229.97.
122.203, v       ,0:11:24:73:73:f8,33:33:0:0:0:fb,->,,,INT,,,,,3,,,0x8200,,,
1151432429.567597,1151432431.568146,1,2.000549,2.000549,fe80::211:24ff:fe73:73f8
,ff02::fb,udp,5353,5353,0,,255,,1042,0,0,0,2,0,4166.856,0.000,1.000,0.000,0,0,0.
0.0.0, v       ,,,->,,,INT,,,,,0,,,0x8200,,0x0000,

sport 0 *
dport 0 *
smac 0:11:24:73:73:f8 0:11:24:73:73:f8
dmac 33:33:2c:f:7a:38 33:33:2c:f:7a:38

line: 2 fields in error: smac,dport,sabytes,seq,proto,sttl,daddr,dmac,saddr,spor
t,stos,
1151432430.307551,1151432430.307551,1,0.000000,0.000000,0:11:24:73:73:f8,33:33:2
c:f:7a:38,ipv6,0,0,,,,,90,0,72,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891
,q,0:11:24:73:73:f8,33:33:2c:f:7a:38,->,,,INT,,,,,4,,,0x8200,,
1151432430.307551,1151432430.307551,1,0.000000,0.000000,0:11:24:73:73:f8,33:33:2
c:f:7a:38,well,*,*,,,,,90,0,72,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203,
 v       ,0:11:24:73:73:f8,33:33:2c:f:7a:38,->,,,INT,,,,,4,,,0x8200,,,
1151432430.307551,1151432430.307551,1,0.000000,0.000000,fe80::211:24ff:fe73:73f8
,ff02::2:2c0f:7a38,ipv6-icmp,,,0,,1,,90,0,0,0,1,0,0.000,0.000,0.000,0.000,0,0,0.
0.0.0, v       ,,,->,,,MRQ,,,,,1,,,0x8200,,0x0000,



Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list