Apparant icmp echo bug in rc.42
Peter Van Epp
vanepp at sfu.ca
Thu Apr 12 19:36:35 EDT 2007
It looks like there is still a dual interface problem with .rc.42:
argus -r ping.eth0.tcp -r ping.eth1.tcp -w ping.argus
(where eth0 and eth1 are the two halves of a fdx connection off my regen
tap)
vanepp at hcids:~> ra -r ping.argus -n
14:41:25.161787 icmp 142.58.190.120 -> 207.23.240.145 1 0 82 0 ECO
14:41:55.191196 icmp 142.58.190.120 -> 207.23.240.145 1 0 82 0 ECO
...
16:02:55.270053 icmp 142.58.190.120 -> 207.23.240.145 1 0 82 0 ECO
16:03:25.289628 icmp 142.58.190.120 <-> 207.23.240.145 1 1 82 82 ECO
14:41:25.169500 icmp 207.23.240.145 -> 142.58.190.120 1 0 82 0 ROB
14:41:55.189233 icmp 207.23.240.145 -> 142.58.190.120 1 0 82 0 NDA
14:42:25.218523 icmp 207.23.240.145 -> 142.58.190.120 1 0 82 0 UNK
It appears to be starting again on the second file and not associating
with the fdx flows. The live argus with two interfaces does much the same thing:
argus -dJR -P 560 -i eth0 -i eth1 -U 512 -m
/usr/local/bin/ra3 -S xxx.xx.xxx.xxx:560 -n -w /var/log/argus/com_argus &
ra3 -r com_argus -n host 142.58.190.120 16:22:25.318508 icmp 207.23.240.145 <-> 142.58.190.120 1 1 82 82 UNK
16:22:55.278030 icmp 207.23.240.145 <-> 142.58.190.120 1 1 82 82 UNK
16:23:25.307382 icmp 207.23.240.145 <-> 142.58.190.120 1 1 82 82 UNK
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list