A IPV6 triple

Peter Van Epp vanepp at sfu.ca
Mon Jul 31 15:19:14 EDT 2006 

On Mon, Jul 31, 2006 at 03:00:21PM -0400, Carter Bullard wrote:
> Hey Peter,
>    No, the 'udp' is just udp, but the L3 flow id is ipv6, so if you  
> filtered on
> 'ipv6' you'd get the udp lines as well as the 'ipv6-icmp', which is a  
> different
> protocol number from 'icmp'.

	Ah, a lack of knowledge of V6. I was assuming because icmp was flagged
as V6 UDP and TCP should be too. 

> 
>    I don't understand the issue with macs, as my data has macs in it.
> do you mean argus?  my argus is doing macs fine but I have
> ARGUS_GENERATE_MAC_DATA=yes in my system /etc/argus.conf file.
> Default is to NOT generate mac data, this may need to documented.

	Yes, the current argus man page indicates -m turns off Mac display

       -m   Don't provide MAC addresses information in argus records.

assuming I have the right man page loaded (which I believe I do). In fact -m
turns on Mac recording. I'm not at present running an /etc/argus.conf file. 

> 
>    IPv6 only has an ipid when there is fragmentation (is in an optional
> header section).
> 

	It 2.0.6 knows that we likely need to supress it when not present. If
it doesn't then we could supress it always I suppose or live with it being 
sometimes invalid. 

>    When you see "::" in an IPv6 address, that means that the values on
> either side of the "::" are separated by zero's (as long as needed to
> separate the values on either side).
> 
> Carter
> 

	Current test output here looks like this from the v2 argus file the 
only thing its unhappy about is the ports (which probably aren't in the 
2.0.6 data anyway and can likely be ignored):

%./ra_test.pl v6.2.argus
sport 0 *
dport 0 *

line: 1 fields in error: dport,sport,
1151432430.851467,1151432483.530842,1,52.679375,52.679375,0:11:24:a6:a:8e,33:33:0:0:0:2,ipv6,0,0,,,,,296,0,224,0,4,0,44.95,0.00,0.08,0.00,0.0000,0.0000,3848370891,q,0:11:24:a6:a:8e,33:33:0:0:0:2,->,,,INT,s[16]="`.....:.........",,,,1,,,0x0286,,
1151432430.851467,1151432483.530842,1,52.679375,52.679375,0:11:24:a6:a:8e,33:33:0:0:0:2,ipv6,*,*,,,,,296,0,224,0,4,0,44.951,0.000,0.076,0.000,0,0,229.97.122.203, v       ,0:11:24:a6:a:8e,33:33:0:0:0:2,->,,,INT,s[16]="`.....:.........",,,,1,,,0x0286,,,

sport 0 *
dport 0 *

line: 2 fields in error: dport,sport,
1151432430.363967,1151432480.138400,1,49.774433,49.774433,0:d:93:45:95:de,33:33:0:0:0:2,ipv6,0,0,,,,,740,0,560,0,10,0,118.94,0.00,0.20,0.00,0.0000,0.0000,3848370891,q,0:d:93:45:95:de,33:33:0:0:0:2,->,,,INT,s[16]="`.....:.........",,,,2,,,0x0214,,
1151432430.363967,1151432480.138400,1,49.774433,49.774433,0:d:93:45:95:de,33:33:0:0:0:2,ipv6,*,*,,,,,740,0,560,0,10,0,118.937,0.000,0.201,0.000,0,0,229.97.122.203, v       ,0:d:93:45:95:de,33:33:0:0:0:2,->,,,INT,s[16]="`.....:.........",,,,2,,,0x0214,,,

sport 0 *
dport 0 *

line: 3 fields in error: dport,sport,
1151432429.567597,1151432449.583555,1,20.015958,20.015958,0:11:24:73:73:f8,33:33:0:0:0:fb,ipv6,0,0,,,,,3248,0,3050,0,11,0,1298.16,0.00,0.55,0.00,0.0000,0.0000,3848370891,q,0:11:24:73:73:f8,33:33:0:0:0:fb,->,,,INT,s[16]="`...............",,,,3,,,0x8200,,
1151432429.567597,1151432449.583555,1,20.015958,20.015959,0:11:24:73:73:f8,33:33:0:0:0:fb,ipv6,*,*,,,,,3248,0,3050,0,11,0,1298.164,0.000,0.550,0.000,0,0,229.97.122.203, v       ,0:11:24:73:73:f8,33:33:0:0:0:fb,->,,,INT,s[16]="`...............",,,,3,,,0x8200,,,

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list