GRE packets appear to be invisible to Argus 3

Carter Bullard carter at qosient.com
Thu Dec 27 10:32:31 EST 2007 

Hey Kevin,
argus-3.0 parses the GRE header as an encapsulation header,
like ethernet or mpls or say, vlan tags, and attempts to report on
the flows that are in the GRE tunnel.  It maybe that your GRE tunnel
is supporting packets that give argus trouble?  Or its possible that
the packet snap length of the packets argus gets are too short for
argus to decode the next protocol header, making it difficult for it to
form the next protocol flow key.  If this is correct, then we've  
definitely
got a bug that needs to be fixed pronto.

Your email may have a typo, where you're reading the argus-2 output
with an argus-3 client and not seeing GRE flows.  This is a different
type of bug.  I'm sure you have tested:

    ~/argus-clients-3.0.0/bin/ra -r pptp.arg3

and gotten the same results?

Does this have any effect?

    ~/argus-clients/3.0.0/bin/ra -r pptp.arg3 - encaps gre

Flows that are in the gre tunnel should have a "G" in the "flags" field.
The argus_gre.h file in argus-3.0 is actually embedded in ./argus/ 
ArgusModeler.h.

I can debug argus-3.0 if you can share your collection of packets.

Carter


On Dec 26, 2007, at 10:01 PM, Kevin & Leah Branch wrote:

> Hi,
>
> I've used argus 2.0.6 for years and it has been of huge value to me  
> for network diagnostics and network-level forensics.  I
> recently upgraded one of my sites to use argus 3.0.0 and argus- 
> clients-3.0.0.rc.65.  I am quite impressed with the new
> features, especially those in racluster.
>
> I am having an issue with the new version, though.  My argus version  
> 3 does not appear to be creating any records to account for GRE  
> traffic.  As I understand, PPTP VPN tunnel traffic runs primarily  
> across GRE (IP protocol 47) with a control channel on tcp/1723.   
> While PPTP sessions are operating across my network edge, argus 3  
> creates records for the tcp/1723 traffic but none for the GRE traffic.
>
> I even captured a bit of traffic between the Internet and my local  
> PPTP server, saving it as a tcpdump capture file pptp.cap.  When I  
> used argus 2 on that data:
> ~/argus-2.0.6/bin/argus -r pptp.cap -w pptp.arg2
> I find both the tcp/1723 and GRE parts of the PPTP session accounted  
> for by ra:
> ~/argus-clients-2.0.6/bin/ra -r pptp.arg2
>
> 20 Dec 07 23:23:53           tcp vpn-client.57156  ->  pptp-server. 
> 1723  10       10        1124         964         FIN
> 20 Dec 07 23:23:53           gre vpn-client       <->  pptp- 
> server       13       10        1032         794         CON
>
> However, when I use argus 3,
> ~/argus-3.0.0/bin/argus -r pptp.cap -w pptp.arg3
> I see no accounting for the GRE traffic
> ~/argus-clients-3.0.0/bin/ra -r pptp.arg2
>
> 23:23:53.443783  e         tcp       vpn-client.57156     ->      
> pptp-server.1723         20       2112   FIN
>
> It appears that GRE traffic is effectively invisible to version  
> 3.0.0 of argus while argus 2.0.6 handles it fine.
> I've observed this issue on both CentOS 4 and CentOS 5 platforms.   
> On both platforms, I do a generic compile of the argus-3.0.0 and  
> argus-clients-3.0.0.rc.65 source tarballs.
>
> About the only distinctive thing about my setup is that I compile  
> both versions of argus against my mmap-enabled libpcap-0.9x.20070323  
> for higher-performance packet captures.  Since my tcpdump is  
> compiled against the same special libpcap and has no problem  
> capturing GRE packets, and argus 2.0.6 compiled the same way also  
> has no trouble, I presume the special libpcap is not likely the  
> source of the problem.
>
> I'm no programmer, but I do notice that the file
> ./include/argus_gre.h
> in the argus-3.0.0 tarball does not appear to be referenced by any  
> other file in the package.  Is there possibly an #include  
> <argus_gre.h> missing somewhere in one of the C source or header  
> files?  I poked around a bit but I really don't see how all the  
> files hang together.  It's been too long since I took that C course  
> in college...
>
> Carter or anyone who's more of a coder than I am, what's your take  
> on this???  I'd sure like to get my argus accounting for all my  
> traffic again.
>
> Thanks in advance for looking into this,
> Kevin
>
> The best games are on Xbox 360. Click here for a special offer on an  
> Xbox 360 Console. Get it now!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071227/de572a1d/attachment.html>

More information about the argus mailing list