IPv6 question
Richard Bejtlich
taosecurity at gmail.com
Fri Apr 6 23:20:49 EDT 2007
Hello everyone,
This may be operator error. This is the first time I've tried Argus
monitoring IPv6.
I'm using argus-clients-3.0.0.rc.42 and argus-3.0.0.rc.42 on FreeBSD 6.1.
I have a segment that is IPv6-only, which has a host gaining
connectivity to the IPv6 Internet via a Teredo gateway as outlined
here:
http://taosecurity.blogspot.com/2006/09/ipv6-only-freebsd-scenario.html
Argus is watching the link between the IPv6-only host and the Teredo gateway.
To generate some traffic I do the following:
1. SSH from the gateway to the host.
2. FTP from the host to ftp.freebsd.org and retrieve a file.
Argus is only seeing 1, but none of the actions associated with 2.
Both 1 and 2 are IPv6.
I tried doing these tests with a live Argus and then with Argus
reading a trace of the activity. Here is what ra reports:
# /usr/local/argus-3.0.0.rc.42/sbin/argus -r /nsm/ipv6.test.1.lpc -w
/nsm/ipv6.test.1.lpc.arg
# /usr/local/argus-clients-3.0.0.rc.42/bin/ra -n -r /nsm/ipv6.test.1.lpc.arg
23:08:05.764764 tcp fe80::200:d1ff:fe*.62593 ->
fe80::204:5aff:fe*.22 27 23 4373 5997
CON
If you'd like to look at the traffic, I posted it here:
http://www.bejtlich.net/ipv6.test.1.lpc
Can anyone tell me what I'm missing? I looked through the list
archives but nothing jumped out at me.
Thank you,
Richard
More information about the argus
mailing list