rc39 unlikelhy output for ESP flows

Christoph Badura bad at bsd.de
Wed Feb 28 14:43:29 EST 2007 

On Tue, Feb 27, 2007 at 11:42:22PM -0500, Carter Bullard wrote:
> The INT will be there if there is no return traffic.  I agree it
> should probably be a CON, but the dir will be "->" because
> the flow is not always  bi-directional.  You have a few ESP
> flows that are bi-directional.  That just means that the SPI
> was the same for both directions of the ESP flow.

I looked more carefully at that trace.

Well, except for a hand full of ISAKMP "private use"  UDP packets and
two ESP packets with entirely different SPIs all the other packets use
the same 2 SPIs, one for each direction.  I.e. this is really just one
flow.  There aren't any extended periods with no return traffic, either.
I think the flows marked INT are not correctly attributed.

I'll send you the packet traces ASAP.

> A '*' in a field means that the number/string is bigger than the
> width used to print the value.  For ESP traffic, the dport is
> the ESP SPI, which is a 32-bit random number.  The dport
> is printed as a decimal number so you'll have to translate to
> get the hex value.

Ah right. I remember you explaining this before.

--chris

> Christoph Badura wrote:
> >typical records from "ra -n -s +sloss +dloss -r trace.argus" are:
> >
> >  16:50:22.072174       F     esp      217.115.67.22          <->      
> >  194.127.190.2.20119*     1758       32       216196        25600   CON   
> >  31748770 0
> >  16:50:22.053544       F     esp      194.127.190.2           ->      
> >  217.115.67.22.40081*     5653        0      4297406            0   INT   
> >  12723374 0
> >
> >No, this wasn't initial, there were thousands of packets before that, no
> >IKE SA renegotiations and, of course, the SPI's didn't change.  I think
> >those should all be listed as "CON" and "<->".
> >
> >  16:50:24.295125             udp      217.115.67.22.500      <->      
> >  194.127.190.2.500           1        1          110          110   CON   
> >  0 0
> >  16:50:27.468929       F     esp      217.115.67.22          <->      
> >  194.127.190.2.20119*     1223       20       158834        16000   CON   
> >  23920001 0
> >  16:50:27.601715       F     esp      194.127.190.2           ->      
> >  217.115.67.22.40081*     4770        0      3756048            0   INT   
> >  5410065 0
> >  16:50:29.338213             udp      217.115.67.22.500      <->      
> >  194.127.190.2.500           1        1          110          110   CON   
> >  0 0

More information about the argus mailing list