IPv6 question

carter at qosient.com carter at qosient.com
Sat Apr 7 09:37:54 EDT 2007 

Hey Richard,
Usually, when an entire flow goes away there is a problem with either the flow modeler, hashing packets from multiple flows into one, or the output processor, dropping the flow record due to some internal error.  Neither, of course, should be happeneing!!

The packet dump is the key!!!  I'll take a look at it tomorrow/Monday!!!!

Thanks, and hope all is most excellent!!

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: "Richard Bejtlich" <taosecurity at gmail.com>
Date: Fri, 6 Apr 2007 23:20:49 
To:Argus <argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] IPv6 question

Hello everyone,

This may be operator error.  This is the first time I've tried Argus
monitoring IPv6.

I'm using argus-clients-3.0.0.rc.42 and argus-3.0.0.rc.42 on FreeBSD 6.1.

I have a segment that is IPv6-only, which has a host gaining
connectivity to the IPv6 Internet via a Teredo gateway as outlined
here:

http://taosecurity.blogspot.com/2006/09/ipv6-only-freebsd-scenario.html

Argus is watching the link between the IPv6-only host and the Teredo gateway.

To generate some traffic I do the following:

1. SSH from the gateway to the host.
2. FTP from the host to ftp.freebsd.org and retrieve a file.

Argus is only seeing 1, but none of the actions associated with 2.
Both 1 and 2 are IPv6.

I tried doing these tests with a live Argus and then with Argus
reading a trace of the activity.  Here is what ra reports:

# /usr/local/argus-3.0.0.rc.42/sbin/argus -r /nsm/ipv6.test.1.lpc -w
/nsm/ipv6.test.1.lpc.arg

# /usr/local/argus-clients-3.0.0.rc.42/bin/ra -n -r /nsm/ipv6.test.1.lpc.arg
   23:08:05.764764             tcp fe80::200:d1ff:fe*.62593     ->
fe80::204:5aff:fe*.22           27       23         4373         5997
 CON

If you'd like to look at the traffic, I posted it here:

http://www.bejtlich.net/ipv6.test.1.lpc

Can anyone tell me what I'm missing?  I looked through the list
archives but nothing jumped out at me.

Thank you,

Richard

More information about the argus mailing list