Argus 3.0.0.rc.29 ESP problem
Robin Gruyters
r.gruyters at yirdis.nl
Mon Sep 25 09:32:32 EDT 2006
Hey Carter,
OK, I'll have to remember that with ESP packets, the SPI will be
placed in the dport field. Although it can be quite confusing...
Regards,
Robin Gruyters
Network and Security Engineer
Yirdis B.V.
I: http://yirdis.com
P: +31 (0)36 5300394
F: +31 (0)36 5489119
Quoting Carter Bullard <carter at qosient.com>:
> Hey Robin,
> Yes, 3.0.0 ra* programs print out the ESP SPI (security payload index) in the
> dst port field. For ESP traffic the flow key is composed of the IP src
> and dst host
> addresses, the proto number and the SPI value, which is a 32-bit number.
> There is no src port number for ESP traffic, and there is no
> requirement that
> ESP traffic be bi-directional, but sometimes you do get an ESP flow where
> A -> B uses the same SPI as a flow going B -> A. In this special case argus
> will report them as a single bi-directional flow, with only one SPI value.
>
> So in your output, each of the lines is a separate ESP context, indicating
> that keys have been negotiated, etc.... Argus-2.x used the SPI as a part of
> the flow, but didn't print the values out, too big, wrong size, and we didn't
> have the flexibility we have now with controlling printing.
>
> The '*' indicates a printing field overflow, so the value is larger than the
> 5 or so digits you have for the field width (I think the default port
> print width
> is 6 chars?).
>
> The ESP is basically a random number, and thus doesn't really mean much,
> other than it's a part of the flow key. If you want to see the
> whole number,
> change the field width to 8 or so, either in your .rarc or on the
> command line.
> On the command line, you'll have to remove the field and add it back. For me,
> that would be a command like:
>
> ra -s -dport -s +6dport:9
>
> You can filter on the SPI, to pick out specific esp flows in argus-3.0.0.
> Commands like "ra -r file - spi gt 100000 and lt 100020" work very well,
> or "ra -r file - spi 123764". At least that is the design.
>
> If you have any problems with any of this, send mail and we'll sort
> it out, or
> fix the code, or fix me ;o) !!!!!
>
> Carter
>
>
> On Sep 25, 2006, at 3:52 AM, Robin Gruyters wrote:
>
>> Hi ya,
>>
>> Last weekend I'd noticed a small problem when filtering ESP packets with ra.
>> With 3.0 is shows some weird port numbers with ESP protocol, but
>> with 2.0.6 is doesn't. (the argus output file comes from 2.0.6
>> argus daemon)
>>
>> output 2.0.6
>> [...]
>> Type SrcAddr Sport DstAddr Dport
>> 50 82.xxx.xxx.xxx 213.xxx.xxx.xxx
>> 50 82.xxx.xxx.xxx 213.xxx.xxx.xxx
>> 50 82.xxx.xxx.xxx 213.xxx.xxx.xxx
>> 50 82.xxx.xxx.xxx 213.xxx.xxx.xxx
>> 50 82.xxx.xxx.xxx 213.xxx.xxx.xxx
>> 50 82.xxx.xxx.xxx 213.xxx.xxx.xxx
>> 50 82.xxx.xxx.xxx 213.xxx.xxx.xxx
>> 50 82.xxx.xxx.xxx 213.xxx.xxx.xxx
>> 50 82.xxx.xxx.xxx 213.xxx.xxx.xxx
>> [...]
>>
>> output 3.0.0
>> [...]
>> Proto SrcAddr Sport DstAddr Dport
>> 50 82.xxx.xxx.xxx.xxx 213.xxx.xxx.xxx.36195*
>> 50 82.xxx.xxx.xxx.xxx 213.xxx.xxx.xxx.36261*
>> 50 82.xxx.xxx.xxx.xxx 213.xxx.xxx.xxx.36621*
>> 50 82.xxx.xxx.xxx.xxx 213.xxx.xxx.xxx.37021*
>> 50 82.xxx.xxx.xxx.xxx 213.xxx.xxx.xxx.37421*
>> 50 82.xxx.xxx.xxx.xxx 213.xxx.xxx.xxx.37814*
>> 50 82.xxx.xxx.xxx.xxx 213.xxx.xxx.xxx.40043*
>> 50 82.xxx.xxx.xxx.xxx 213.xxx.xxx.xxx.40456*
>> 50 82.xxx.xxx.xxx.xxx 213.xxx.xxx.xxx.40521*
>> [...]
>>
>> Any idea?
>>
>> Regards,
>>
>> Robin Gruyters
>> Network and Security Engineer
>> Yirdis B.V.
>> I: http://yirdis.com
>> P: +31 (0)36 5300394
>> F: +31 (0)36 5489119
>>
>>
More information about the argus
mailing list