Ipv6/icmpv6 connection state explanation
Carter Bullard
carter at qosient.com
Tue Apr 17 10:45:30 EDT 2007
I have added explanations for these data elements in the ra.1 manpage.
I'll have new code up (a refresh of rc.42, rather than a new rc, as
we're
in code freeze, sorry) later today.
For filtering of ipv4 and ipv6 data, the keyword "ipv6" is in the /
etc/protocols
file, which is where we get the values for protocols. the keyword
"ipv4"
we have invented, to be consistent with the "ipv6" syntax, and the
keyword
"ip", matches all versions of ip.
So, ..., if you want ip version 6 records only, try:
ra -r file - ipv6
Carter
On Apr 16, 2007, at 10:04 PM, CS Lee wrote:
> Carter,
>
> Not pushing too hard from me but just would like to let you know
> that icmpv6 connection states are not explained in the man page, as
> I figured in richard's pcap file that was posted in previous mail.
>
> ra -L0 -nn -r ipv6.test.1.arg
> StartTime Flgs Proto SrcAddr Sport
> Dir DstAddr Dport SrcPkts DstPkts SrcBytes
> DstBytes State
> 11:08:05.764764 6 fe80::200:d1ff:fe*.62593 ->
> fe80::204:5aff:fe*.22 173 125 20273
> 24081 FIN
> 11:08:10.763662 58 fe80::200:d1ff:fe* <->
> fe80::204:5aff:fe* 1 1 86
> 86 NDN
> 11:08:10.764036 58 fe80::204:5aff:fe* <->
> fe80::200:d1ff:fe* 1 1 78
> 78 NDR
> 11:08:13.380099 17 2001:5c0:925d:0:2*.49178 <-
> > 2001:240:: 1.53 1 1
> 95 255 CON
> 11:08:13.721598 17 2001:5c0:925d:0:2*.49179 <-
> > 2001:240::1.53 1 1 95
> 279 CON
> 11:08: 14.085795 6 2001:5c0:925d:0:2*.57339 -
> > 2001:6c8:6:4::7.21 32 24 2919
> 2881 FIN
> 11:08:18.718378 58 2001:5c0:925d::1 <->
> 2001:5c0:925d:0:2* 1 1 86
> 86 NDN
> 11:08:18.718755 58 2001:5c0:925d:0:2* <-
> > 2001:5c0:925d::1 1 1
> 78 78 NDR
> 11:08:20.303258 6 2001:5c0:925d:0:2*.57340 -
> > 2001:6c8:6:4::7.64534 4 4 356
> 590 FIN
> 11:08:25.314906 6 2001:5c0:925d:0:2*.57341 -
> > 2001:6c8:6:4:: 7.60801 5 5 442
> 2671 FIN
> 11:08:36.330491 6 2001:5c0:925d:0:2*.57342 -
> > 2001:6c8:6:4::7.60199 30 36 2700
> 43641 FIN
>
> I quickly checked it, proto 58 indicates it is icmp6 -
>
> egrep 'NDN' include/*
> include/argus_util.h: "NDA", "NDN", "NDR", "PTB",
>
> char *icmptypestr[ICMP_MAXTYPE + 1] = {
> "ECR", " ", " ", "UR" , "SRC", "RED",
> "AHA", " ", "ECO", "RTA", "RTS", "TXD",
> "PAR", "TST", "TSR", "IRQ", "IRR", "MAS",
> "MSR", "SEC", "ROB", "ROB", "ROB", "ROB",
> "ROB", "ROB", "ROB", "ROB", "ROB", "ROB",
> "TRC", "DCE", "MHR", "WAY", "IAH", "MRQ",
> "MRP", "DNQ", "DNP", "SKP", "PHO", "NDS",
> "NDA", "NDN", "NDR", "PTB",
> };
>
> Looking into the pcap, it is something to do with Neighbour
> discovery stuffs, however I would like to understand it by just
> looking into the argus flow stream - NDN, NDR and so forth or any
> reference for it.
>
> Another thing should be how can I filter out ipv6 and icmp6 flow?
> For example I can use bpf filter like tcpdump ip6 or icmp6.
>
> Thanks.
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070417/dc98e87b/attachment.html>
More information about the argus
mailing list