argus icmp flow bug?

carter at qosient.com carter at qosient.com
Sat May 5 08:37:57 EDT 2007 

It is always best when a packet file is provided that replicates a bug!!!!
Please send it.

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: "CS Lee" <geek00l at gmail.com>
Date: Sat, 5 May 2007 16:06:06 
To:Argus <argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] argus icmp flow bug?

Carter,

It seems that I have this odd argus data when converted from pcap, here's my pcap data -

sudo tcpdump -ttttnnr ~/i-Pcaps/ICMP-Research/icmpshell.pcap
reading from file /home/geek00l/i-Pcaps/ICMP-Research/icmpshell.pcap, link-type EN10MB (Ethernet) 
2006-09-01 01:36:27.511558 arp who-has 192.168.0.119: <http://192.168.0.119>  tell 192.168.0.250: <http://192.168.0.250> 
2006-09-01 01:36:27.511600 arp reply 192.168.0.119
: <http://192.168.0.119>  is-at 00:0a:e4:35:ea:8e
2006-09-01 01:36:27.511776 IP 192.168.0.250: <http://192.168.0.250>  > 192.168.0.119: <http://192.168.0.119> : ICMP echo reply, id 60165, seq 0, length 39
2006-09-01 01:36: 27.514256 IP 192.168.0.119: <http://192.168.0.119>  > 192.168.0.250: <http://192.168.0.250> : ICMP echo reply, id 60165, seq 256, length 90
2006-09-01 01:36:32.497343 IP 
192.168.0.250: <http://192.168.0.250>  > 192.168.0.119: <http://192.168.0.119> : ICMP echo reply, id 60165, seq 0, length 39
2006-09-01 01:36:32.499682 IP 192.168.0.119: <http://192.168.0.119>  > 
192.168.0.250: <http://192.168.0.250> : ICMP echo reply, id 60165, seq 512, length 90
2006-09-01 01:36:34.829683 IP 192.168.0.250: <http://192.168.0.250>  > 192.168.0.119: <http://192.168.0.119> : ICMP echo reply, id 60165, seq 0, length 37 
2006-09-01 01:36:39.166263 IP 192.168.0.250: <http://192.168.0.250>  > 192.168.0.119: <http://192.168.0.119> : ICMP echo reply, id 60165, seq 0, length 37
2006-09-01 01:36:41.219730 IP 
192.168.0.250: <http://192.168.0.250>  > 192.168.0.119: <http://192.168.0.119> : ICMP echo reply, id 60165, seq 0, length 43
2006-09-01 01:36:41.222004 IP 192.168.0.119: <http://192.168.0.119>  > 
192.168.0.250: <http://192.168.0.250> : ICMP echo reply, id 60165, seq 768, length 41
2006-09-01 01:36:59.823108 IP 192.168.0.250: <http://192.168.0.250>  > 192.168.0.119: <http://192.168.0.119> : ICMP echo reply, id 60165, seq 0, length 52 
2006-09-01 01:36:59.824779 IP 192.168.0.119: <http://192.168.0.119>  > 192.168.0.250: <http://192.168.0.250> : ICMP echo reply, id 60165, seq 1024, length 547
2006-09-01 01:36:59.824803 IP 
192.168.0.119: <http://192.168.0.119>  > 192.168.0.250: <http://192.168.0.250> : ICMP echo reply, id 60165, seq 1280, length 547
2006-09-01 01:36:59.824825 IP 192.168.0.119: <http://192.168.0.119>  > 
192.168.0.250: <http://192.168.0.250> : ICMP echo reply, id 60165, seq 1536, length 547
2006-09-01 01:36:59.824844 IP 192.168.0.119: <http://192.168.0.119>  > 192.168.0.250: <http://192.168.0.250> : ICMP echo reply, id 60165, seq 1792, length 420 
2006-09-01 01:37:04.820877 arp who-has 192.168.0.119: <http://192.168.0.119>  tell 192.168.0.250: <http://192.168.0.250> 
2006-09-01 01:37:04.820910 arp reply 192.168.0.119
: <http://192.168.0.119>  is-at 00:0a:e4:35:ea:8e

After convert to argus file and read with ra -

/usr/local/stow/argusc-3rc43/bin/ra -nn -r ~/i-Pcaps/ICMP-Research/icmpshell.arg
   01:36:27.511558  e         2054      
192.168.0.250: <http://192.168.0.250>           who      192.168.0.119: <http://192.168.0.119>                2        2          120           84   CON
   01:36:27.511776  e            1      250.0.168.192
: <http://250.0.168.192>            ->      119.0.168.192: <http://119.0.168.192>                6        0          451            0   ECR
   01:36:27.514256  e            1      119.0.168.192: <http://119.0.168.192>            ->      250.0.168.192: <http://250.0.168.192>                1        0          124            0   ECR
   01:36:32.499682  e            1      119.0.168.192: <http://119.0.168.192>            ->      250.0.168.192: <http://250.0.168.192>                1        0          124            0   ECR
   01:36:41.222004  e            1      119.0.168.192: <http://119.0.168.192>            ->      
250.0.168.192: <http://250.0.168.192>                1        0           75            0   ECR
   01:36:59.824779  e            1      119.0.168.192: <http://119.0.168.192>            ->      250.0.168.192
: <http://250.0.168.192>                1        0          581            0   ECR
   01:36:59.824803  e            1      119.0.168.192: <http://119.0.168.192>            ->      250.0.168.192: <http://250.0.168.192>                1        0          581            0   ECR
   01:36:59.824825  e            1      119.0.168.192: <http://119.0.168.192>            ->      250.0.168.192: <http://250.0.168.192>                1        0          581            0   ECR 
   01:36:59.824844  e            1      119.0.168.192: <http://119.0.168.192>            ->      250.0.168.192: <http://250.0.168.192>                1        0          454            0   ECR
    21:15:13.099275             man                  0      0                       37      1       17       10           37      1493508   STP

The IP becomes backward(192.168.0.250: <http://192.168.0.250> becomes 250.0.168.192: <http://250.0.168.192> ). Let me know if you need the pcap, I have tested with few pcap with icmp data and it seems to have the same result.

-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>

More information about the argus mailing list