A IPV6 triple

Mon Jul 31 15:00:21 EDT 2006

Hey Peter,
    No, the 'udp' is just udp, but the L3 flow id is ipv6, so if you  
filtered on
'ipv6' you'd get the udp lines as well as the 'ipv6-icmp', which is a  
different
protocol number from 'icmp'.

    I don't understand the issue with macs, as my data has macs in it.
do you mean argus?  my argus is doing macs fine but I have
ARGUS_GENERATE_MAC_DATA=yes in my system /etc/argus.conf file.
Default is to NOT generate mac data, this may need to documented.

    IPv6 only has an ipid when there is fragmentation (is in an optional
header section).

    When you see "::" in an IPv6 address, that means that the values on
either side of the "::" are separated by zero's (as long as needed to
separate the values on either side).

Carter

On Jul 26, 2006, at 9:37 PM, Peter Van Epp wrote:

> 	Looks to be a few problems here too (again tcpdump file attached):
> V3 doesn't appear to be providing Macs, I suspect the "udp" wants  
> to be
> "ipv6-udp", the v2 to v3 conversion isn't getting the ethertype  
> correctly,
> and aggregation appears different (which may be a bug or working as  
> designed
> :-)) since the pure V3 stream at the end has different packets than  
> the first
> 2 (which are from the v2.0.6 file) and a much different duration  
> which would
> seem to point to different aggregation stratigies. I'm not sure if  
> v6 has an
> ipid, but the 0 at the end is a bit suspicious :-). The source  
> address seems
> convoluted enough for v6 but the dest address of ff02::fb (unless  
> this is
> shorthand for the v6 broadcast address which it may be) seems a  
> little short.
>
> %./ra_test.pl vs62.argus vs63.argus | more
> sport 0 * 5353
> dport 0 * 5353
> srate 1298.16 1298.164 4166.856
> smac 0:11:24:73:73:f8 0:11:24:73:73:f8
> dmac 33:33:0:0:0:fb 33:33:0:0:0:fb
>
> line: 1 fields in error:  
> smac,srate,sbytes,dport,sabytes,seq,proto,end,daddr,stt
> l,dmac,dur,spkts,saddr,sport,stos,
> 1151432429.567597,1151432449.583555,1,20.015958,20.015958,0:11:24:73:7 
> 3:f8,33:33
> : 
> 0:0:0:fb,ipv6,0,0,,,,,3248,0,3050,0,11,0,1298.16,0.00,0.55,0.00,0.0000 
> ,0.0000,3
> 848370891,q,0:11:24:73:73:f8,33:33:0:0:0:fb,->,,,INT,,,,,3,,,0x8200,,
> 1151432429.567597,1151432449.583555,1,20.015958,20.015959,0:11:24:73:7 
> 3:f8,33:33
> :0:0:0:fb,well,*,*,,,,, 
> 3248,0,3050,0,11,0,1298.164,0.000,0.550,0.000,0,0,229.97.
> 122.203, v       ,0:11:24:73:73:f8,33:33:0:0:0:fb,->,,,INT,,,,, 
> 3,,,0x8200,,,
> 1151432429.567597,1151432431.568146,1,2.000549,2.000549,fe80::211:24ff 
> :fe73:73f8
> ,ff02::fb,udp, 
> 5353,5353,0,,255,,1042,0,0,0,2,0,4166.856,0.000,1.000,0.000,0,0,0.
> 0.0.0, v       ,,,->,,,INT,,,,,0,,,0x8200,,0x0000,
>
> sport 0 *
> dport 0 *
> smac 0:11:24:73:73:f8 0:11:24:73:73:f8
> dmac 33:33:2c:f:7a:38 33:33:2c:f:7a:38
>
> line: 2 fields in error:  
> smac,dport,sabytes,seq,proto,sttl,daddr,dmac,saddr,spor
> t,stos,
> 1151432430.307551,1151432430.307551,1,0.000000,0.000000,0:11:24:73:73: 
> f8,33:33:2
> c:f:7a:38,ipv6,0,0,,,,,90,0,72,0,1,0,0.00,0.00,inf, 
> 0.00,0.0000,0.0000,3848370891
> ,q,0:11:24:73:73:f8,33:33:2c:f:7a:38,->,,,INT,,,,,4,,,0x8200,,
> 1151432430.307551,1151432430.307551,1,0.000000,0.000000,0:11:24:73:73: 
> f8,33:33:2
> c:f:7a:38,well,*,*,,,,, 
> 90,0,72,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203,
>  v       ,0:11:24:73:73:f8,33:33:2c:f:7a:38,->,,,INT,,,,,4,,,0x8200,,,
> 1151432430.307551,1151432430.307551,1,0.000000,0.000000,fe80::211:24ff 
> :fe73:73f8
> ,ff02::2:2c0f:7a38,ipv6-icmp,,, 
> 0,,1,,90,0,0,0,1,0,0.000,0.000,0.000,0.000,0,0,0.
> 0.0.0, v       ,,,->,,,MRQ,,,,,1,,,0x8200,,0x0000,
>
>
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
> <v6.tcp>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060731/5a1fd63a/attachment.html>