new argus features - IPv6 support

Carter Bullard carter at qosient.com
Wed Jun 21 15:52:18 EDT 2006 

Gentle people,
Another entry for the list.

    Argus 3.0 IPv6 support
       Argus and its clients programs can now monitor and process
       IPv6 flows.   In argus-2.0 we would identify the flow as IPv6,
       but would track the ethernet addresses and protocol field as
       the flow key.

       Argus tracks IPv6 flows like IPv4, but the flow key is much
       larger.  IPv6 flows can be generated from traffic streams using
       any of the supported encapsulations, which include SONET,
       ethernet,  LLC, 802.11Q, PPP, MPLS, and GRE, to name a few.
       And we support IPnIP mixes, so we'll track IPv6 in IPv4 and vice
       versa.   There is specific support for IPPROTO_ICMPV6 and its
       interesting behaviors, and we track packet fragmentation back
       to the parent flow, just as we do for IPv4.

       The new argus record format allows for IPv6 source identifiers,
       however, I've not implemented parsing them from configuration
       files, so that is work that needs to be done.

       Argus client support for IPv6 is good, but not complete.   ra*
       programs support filtering on IPv6 addresses, with the parser
       recognizing all standard IPv6 address formats in the filter  
string,
       and automatically limiting the search to only IPv6 traffic.   New
       filter tokens 'ipv4' and 'ipv6' can explicitly limit the  
searches,
       but the token 'ip' will usually duplicate some of the filter
       instructions to look in both ipv4 and ipv6 traffic.   Use the  
'-b'
       option to see what code the compiler generates.   So these
       filters should work:
          ra -r file - ipv6
          ra -r file - src host fe80::214:51ff:fe66:7c5a

       Name resolution, both forward and reverse lookups on IPv6
       addresses should work.

       Because client output has specific field size limits on the  
command
       line, if you use, say, 'saddr:18" as a printing directive, and  
you
       encounter an IPv6 address, you will probably truncate the
       output (sometimes not, as we support concise IPv6 address
       representations).   All client programs will put an '*' at the  
end
       of a column  if the field width is not large enough to hold the
       value.  At least that is the design for all fields.

       If anyone finds that something is lacking in the IPv6 support
       side of things, don't hesitate to send mail to the list.

Hope all is most excellent,

Carter

More information about the argus mailing list