Ipv6/icmpv6 connection state explanation

CS Lee geek00l at gmail.com
Mon Apr 16 22:04:12 EDT 2007 

Carter,

Not pushing too hard from me but just would like to let you know that icmpv6
connection states are not explained in the man page, as I figured in
richard's pcap file that was posted in previous mail.

ra -L0 -nn -r ipv6.test.1.arg
         StartTime    Flgs   Proto      SrcAddr        Sport   Dir
DstAddr        Dport  SrcPkts  DstPkts     SrcBytes     DstBytes State
   11:08:05.764764               6 fe80::200:d1ff:fe*.62593     ->
fe80::204:5aff:fe*.22          173      125        20273        24081   FIN
   11:08:10.763662              58 fe80::200:d1ff:fe*          <->
fe80::204:5aff:fe*               1        1           86           86   NDN
   11:08:10.764036              58 fe80::204:5aff:fe*          <->
fe80::200:d1ff:fe*               1        1           78           78   NDR
   11:08:13.380099              17 2001:5c0:925d:0:2*.49178    <->
2001:240::1.53            1        1           95          255   CON
   11:08:13.721598              17 2001:5c0:925d:0:2*.49179    <->
2001:240::1.53            1        1           95          279   CON
   11:08:14.085795               6 2001:5c0:925d:0:2*.57339     ->
2001:6c8:6:4::7.21           32       24         2919         2881   FIN
   11:08:18.718378              58   2001:5c0:925d::1          <->
2001:5c0:925d:0:2*               1        1           86           86   NDN
   11:08:18.718755              58 2001:5c0:925d:0:2*          <->
2001:5c0:925d::1               1        1           78           78   NDR
   11:08:20.303258               6 2001:5c0:925d:0:2*.57340     ->
2001:6c8:6:4::7.64534         4        4          356          590   FIN
   11:08:25.314906               6 2001:5c0:925d:0:2*.57341     ->
2001:6c8:6:4::7.60801         5        5          442         2671   FIN
   11:08:36.330491               6 2001:5c0:925d:0:2*.57342     ->
2001:6c8:6:4::7.60199        30       36         2700        43641   FIN

I quickly checked it, proto 58 indicates it is icmp6 -

egrep 'NDN' include/*
include/argus_util.h:   "NDA", "NDN", "NDR", "PTB",

char *icmptypestr[ICMP_MAXTYPE + 1] = {
   "ECR", "   ", "   ", "UR" , "SRC", "RED",
   "AHA", "   ", "ECO", "RTA", "RTS", "TXD",
   "PAR", "TST", "TSR", "IRQ", "IRR", "MAS",
   "MSR", "SEC", "ROB", "ROB", "ROB", "ROB",
   "ROB", "ROB", "ROB", "ROB", "ROB", "ROB",
   "TRC", "DCE", "MHR", "WAY", "IAH", "MRQ",
   "MRP", "DNQ", "DNP", "SKP", "PHO", "NDS",
   "NDA", "NDN", "NDR", "PTB",
};

Looking into the pcap, it is something to do with Neighbour discovery
stuffs, however I would like to understand it by just looking into the argus
flow stream - NDN, NDR and so forth or any reference for it.

Another thing should be how can I filter out ipv6 and icmp6 flow? For
example I can use bpf filter like tcpdump ip6 or icmp6.

Thanks.

-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070417/5bd113db/attachment.html>

More information about the argus mailing list