argus icmp flow bug?
CS Lee
geek00l at gmail.com
Sat May 5 04:06:06 EDT 2007
Carter,
It seems that I have this odd argus data when converted from pcap, here's my
pcap data -
sudo tcpdump -ttttnnr ~/i-Pcaps/ICMP-Research/icmpshell.pcap
reading from file /home/geek00l/i-Pcaps/ICMP-Research/icmpshell.pcap,
link-type EN10MB (Ethernet)
2006-09-01 01:36:27.511558 arp who-has 192.168.0.119 tell 192.168.0.250
2006-09-01 01:36:27.511600 arp reply 192.168.0.119 is-at 00:0a:e4:35:ea:8e
2006-09-01 01:36:27.511776 IP 192.168.0.250 > 192.168.0.119: ICMP echo
reply, id 60165, seq 0, length 39
2006-09-01 01:36:27.514256 IP 192.168.0.119 > 192.168.0.250: ICMP echo
reply, id 60165, seq 256, length 90
2006-09-01 01:36:32.497343 IP 192.168.0.250 > 192.168.0.119: ICMP echo
reply, id 60165, seq 0, length 39
2006-09-01 01:36:32.499682 IP 192.168.0.119 > 192.168.0.250: ICMP echo
reply, id 60165, seq 512, length 90
2006-09-01 01:36:34.829683 IP 192.168.0.250 > 192.168.0.119: ICMP echo
reply, id 60165, seq 0, length 37
2006-09-01 01:36:39.166263 IP 192.168.0.250 > 192.168.0.119: ICMP echo
reply, id 60165, seq 0, length 37
2006-09-01 01:36:41.219730 IP 192.168.0.250 > 192.168.0.119: ICMP echo
reply, id 60165, seq 0, length 43
2006-09-01 01:36:41.222004 IP 192.168.0.119 > 192.168.0.250: ICMP echo
reply, id 60165, seq 768, length 41
2006-09-01 01:36:59.823108 IP 192.168.0.250 > 192.168.0.119: ICMP echo
reply, id 60165, seq 0, length 52
2006-09-01 01:36:59.824779 IP 192.168.0.119 > 192.168.0.250: ICMP echo
reply, id 60165, seq 1024, length 547
2006-09-01 01:36:59.824803 IP 192.168.0.119 > 192.168.0.250: ICMP echo
reply, id 60165, seq 1280, length 547
2006-09-01 01:36:59.824825 IP 192.168.0.119 > 192.168.0.250: ICMP echo
reply, id 60165, seq 1536, length 547
2006-09-01 01:36:59.824844 IP 192.168.0.119 > 192.168.0.250: ICMP echo
reply, id 60165, seq 1792, length 420
2006-09-01 01:37:04.820877 arp who-has 192.168.0.119 tell 192.168.0.250
2006-09-01 01:37:04.820910 arp reply 192.168.0.119 is-at 00:0a:e4:35:ea:8e
After convert to argus file and read with ra -
/usr/local/stow/argusc-3rc43/bin/ra -nn -r
~/i-Pcaps/ICMP-Research/icmpshell.arg
01:36:27.511558 e 2054 192.168.0.250 who
192.168.0.119 2 2 120 84 CON
01:36:27.511776 e 1 250.0.168.192 ->
119.0.168.192 6 0 451 0 ECR
01:36:27.514256 e 1 119.0.168.192 ->
250.0.168.192 1 0 124 0 ECR
01:36:32.499682 e 1 119.0.168.192 ->
250.0.168.192 1 0 124 0 ECR
01:36:41.222004 e 1 119.0.168.192 ->
250.0.168.192 1 0 75 0 ECR
01:36:59.824779 e 1 119.0.168.192 ->
250.0.168.192 1 0 581 0 ECR
01:36:59.824803 e 1 119.0.168.192 ->
250.0.168.192 1 0 581 0 ECR
01:36:59.824825 e 1 119.0.168.192 ->
250.0.168.192 1 0 581 0 ECR
01:36:59.824844 e 1 119.0.168.192 ->
250.0.168.192 1 0 454 0 ECR
21:15:13.099275 man 0
0 37 1 17 10 37
1493508 STP
The IP becomes backward(192.168.0.250 becomes 250.0.168.192). Let me know if
you need the pcap, I have tested with few pcap with icmp data and it seems
to have the same result.
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070505/145a21a6/attachment.html>
More information about the argus
mailing list