Argus 3.0.0.rc.29 ESP problem

Carter Bullard carter at qosient.com
Mon Sep 25 09:05:44 EDT 2006 

Hey Robin,
Yes, 3.0.0 ra* programs print out the ESP SPI (security payload  
index) in the
dst port field.  For ESP traffic the flow key is composed of the IP  
src and dst host
addresses, the proto number and the SPI value, which is a 32-bit number.
There is no src port number for ESP traffic, and there is  no  
requirement that
ESP traffic be bi-directional, but sometimes you do get an ESP flow  
where
A -> B uses the same SPI as a flow going B -> A.  In this special  
case argus
will report them as a single bi-directional flow, with only one SPI  
value.

So in your output, each of the lines is a separate ESP context,  
indicating
that keys have been negotiated, etc....  Argus-2.x used the SPI as a  
part of
the flow, but didn't print the values out, too big, wrong size, and  
we didn't
have the flexibility we have now with controlling printing.

The '*' indicates a printing field overflow, so the value is larger  
than the
5 or so digits you have for the field width (I think the default port  
print width
is 6 chars?).

The ESP is basically a random number, and thus doesn't really mean much,
other than it's a part of the flow key.   If you want to see the  
whole number,
change the field width to 8 or so, either in your .rarc or on the  
command line.
On the command line, you'll have to remove the field and add it back.  
For me,
that would be a command like:

    ra -s -dport -s +6dport:9

You can filter on the SPI, to pick out specific esp flows in  
argus-3.0.0.
Commands like "ra -r file - spi gt 100000 and lt 100020" work very well,
or "ra -r file - spi 123764".  At least that is the design.

If you have any problems with any of this, send mail and we'll sort  
it out, or
fix the code, or fix me ;o) !!!!!

Carter


On Sep 25, 2006, at 3:52 AM, Robin Gruyters wrote:

> Hi ya,
>
> Last weekend I'd noticed a small problem when filtering ESP packets  
> with ra.
> With 3.0 is shows some weird port numbers with ESP protocol, but  
> with 2.0.6 is doesn't. (the argus output file comes from 2.0.6  
> argus daemon)
>
> output 2.0.6
> [...]
> Type     SrcAddr     Sport     DstAddr     Dport
>  50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>  50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>  50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>  50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>  50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>  50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>  50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>  50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>  50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
> [...]
>
> output 3.0.0
> [...]
>   Proto      SrcAddr        Sport      DstAddr        Dport
>      50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.36195*
>      50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.36261*
>      50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.36621*
>      50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.37021*
>      50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.37421*
>      50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.37814*
>      50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.40043*
>      50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.40456*
>      50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.40521*
> [...]
>
> Any idea?
>
> Regards,
>
> Robin Gruyters
> Network and Security Engineer
> Yirdis B.V.
> I: http://yirdis.com
> P: +31 (0)36 5300394
> F: +31 (0)36 5489119
>
>

More information about the argus mailing list