Argus 3.0.0.rc.29 ESP problem

Carter Bullard carter at qosient.com
Mon Sep 25 10:27:37 EDT 2006 

Hey Robin,
I think the confusion may come from the fact that most of the traffic
is TCP or UDP, and so we expect the port fields to be in every  
transaction.
The fact is, there are 10 flow types that don't have ports.

The argus web site has the list of the flow models that it supports
       http://www.qosient.com/argus/flow.htm

For clarity in tools like ra() and ratop() we want to print out the  
fields
that make a flow unique.  In argus-2.x, you could see 10 ESP records
between A and B, and not be able to understand why are there 10
records instead of say 1, especially after you have processed the
records with ragator()/racluster(), and all the unique flows should be
aggregated together.


Carter


On Sep 25, 2006, at 9:32 AM, Robin Gruyters wrote:

> Hey Carter,
>
> OK, I'll have to remember that with ESP packets, the SPI will be  
> placed in the dport field. Although it can be quite confusing...
>
> Regards,
>
> Robin Gruyters
> Network and Security Engineer
> Yirdis B.V.
> I: http://yirdis.com
> P: +31 (0)36 5300394
> F: +31 (0)36 5489119
>
>
> Quoting Carter Bullard <carter at qosient.com>:
>
>> Hey Robin,
>> Yes, 3.0.0 ra* programs print out the ESP SPI (security payload  
>> index) in the
>> dst port field.  For ESP traffic the flow key is composed of the  
>> IP src
>> and dst host
>> addresses, the proto number and the SPI value, which is a 32-bit  
>> number.
>> There is no src port number for ESP traffic, and there is  no   
>> requirement that
>> ESP traffic be bi-directional, but sometimes you do get an ESP  
>> flow where
>> A -> B uses the same SPI as a flow going B -> A.  In this special  
>> case argus
>> will report them as a single bi-directional flow, with only one  
>> SPI value.
>>
>> So in your output, each of the lines is a separate ESP context,  
>> indicating
>> that keys have been negotiated, etc....  Argus-2.x used the SPI as  
>> a part of
>> the flow, but didn't print the values out, too big, wrong size,  
>> and we didn't
>> have the flexibility we have now with controlling printing.
>>
>> The '*' indicates a printing field overflow, so the value is  
>> larger than the
>> 5 or so digits you have for the field width (I think the default port
>> print width
>> is 6 chars?).
>>
>> The ESP is basically a random number, and thus doesn't really mean  
>> much,
>> other than it's a part of the flow key.   If you want to see the   
>> whole number,
>> change the field width to 8 or so, either in your .rarc or on the
>> command line.
>> On the command line, you'll have to remove the field and add it  
>> back. For me,
>> that would be a command like:
>>
>>    ra -s -dport -s +6dport:9
>>
>> You can filter on the SPI, to pick out specific esp flows in  
>> argus-3.0.0.
>> Commands like "ra -r file - spi gt 100000 and lt 100020" work very  
>> well,
>> or "ra -r file - spi 123764".  At least that is the design.
>>
>> If you have any problems with any of this, send mail and we'll  
>> sort  it out, or
>> fix the code, or fix me ;o) !!!!!
>>
>> Carter
>>
>>
>> On Sep 25, 2006, at 3:52 AM, Robin Gruyters wrote:
>>
>>> Hi ya,
>>>
>>> Last weekend I'd noticed a small problem when filtering ESP  
>>> packets with ra.
>>> With 3.0 is shows some weird port numbers with ESP protocol, but   
>>> with 2.0.6 is doesn't. (the argus output file comes from 2.0.6   
>>> argus daemon)
>>>
>>> output 2.0.6
>>> [...]
>>> Type     SrcAddr     Sport     DstAddr     Dport
>>> 50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>>> 50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>>> 50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>>> 50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>>> 50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>>> 50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>>> 50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>>> 50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>>> 50    82.xxx.xxx.xxx   213.xxx.xxx.xxx
>>> [...]
>>>
>>> output 3.0.0
>>> [...]
>>>  Proto      SrcAddr        Sport      DstAddr        Dport
>>>     50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.36195*
>>>     50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.36261*
>>>     50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.36621*
>>>     50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.37021*
>>>     50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.37421*
>>>     50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.37814*
>>>     50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.40043*
>>>     50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.40456*
>>>     50       82.xxx.xxx.xxx.xxx            213.xxx.xxx.xxx.40521*
>>> [...]
>>>
>>> Any idea?
>>>
>>> Regards,
>>>
>>> Robin Gruyters
>>> Network and Security Engineer
>>> Yirdis B.V.
>>> I: http://yirdis.com
>>> P: +31 (0)36 5300394
>>> F: +31 (0)36 5489119
>>>
>>>
>
>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060925/dea6e251/attachment.html>

More information about the argus mailing list