argus icmp flow bug?

Carter Bullard carter at qosient.com
Sat May 5 12:25:42 EDT 2007 

Hey CS Lee,
Looking at your packet dump, argus is doing exactly what its suppose
to do. The ICMP id value in the packets is not 60165, they are mostly
different and the ICMP echo responses have sequence numbers that
don't match up.  Here is what my tcpdump sez about your ICMP packets:

reading from file icmpshell.pcap, link-type EN10MB (Ethernet)
13:36:27.511558 arp who-has 192.168.0.119 tell 192.168.0.250
13:36:27.511600 arp reply 192.168.0.119 is-at 00:0a:e4:35:ea:8e
13:36:27.511776 IP 192.168.0.250 > 192.168.0.119: icmp 39: echo reply seq 0
13:36:27.514256 IP 192.168.0.119 > 192.168.0.250: icmp 90: echo reply 
seq 256
13:36:32.497343 IP 192.168.0.250 > 192.168.0.119: icmp 39: echo reply seq 0
13:36:32.499682 IP 192.168.0.119 > 192.168.0.250: icmp 90: echo reply 
seq 512
13:36:34.829683 IP 192.168.0.250 > 192.168.0.119: icmp 37: echo reply seq 0
13:36:39.166263 IP 192.168.0.250 > 192.168.0.119: icmp 37: echo reply seq 0
13:36:41.219730 IP 192.168.0.250 > 192.168.0.119: icmp 43: echo reply seq 0
13:36:41.222004 IP 192.168.0.119 > 192.168.0.250: icmp 41: echo reply 
seq 768
13:36:59.823108 IP 192.168.0.250 > 192.168.0.119: icmp 52: echo reply seq 0
13:36:59.824779 IP 192.168.0.119 > 192.168.0.250: icmp 547: echo reply 
seq 1024
13:36:59.824803 IP 192.168.0.119 > 192.168.0.250: icmp 547: echo reply 
seq 1280
13:36:59.824825 IP 192.168.0.119 > 192.168.0.250: icmp 547: echo reply 
seq 1536
13:36:59.824844 IP 192.168.0.119 > 192.168.0.250: icmp 420: echo reply 
seq 1792
13:37:04.820877 arp who-has 192.168.0.119 tell 192.168.0.250
13:37:04.820910 arp reply 192.168.0.119 is-at 00:0a:e4:35:ea:8e

Argus matches the bi-directional ping packets that have the same id and
sequence number.  You don't have any that actually match, well you have
two sets that do match, and argus does hit them correctly, and these
are all reply packets.

Argus looks good in this case.

Carter


CS Lee wrote:
> Carter,
>
> It seems that I have this odd argus data when converted from pcap, 
> here's my pcap data -
>
> sudo tcpdump -ttttnnr ~/i-Pcaps/ICMP-Research/icmpshell.pcap
> reading from file /home/geek00l/i-Pcaps/ICMP-Research/icmpshell.pcap, 
> link-type EN10MB (Ethernet)
> 2006-09-01 01:36:27.511558 arp who-has 192.168.0.119 
> <http://192.168.0.119> tell 192.168.0.250 <http://192.168.0.250>
> 2006-09-01 01:36:27.511600 arp reply 192.168.0.119 
> <http://192.168.0.119> is-at 00:0a:e4:35:ea:8e
> 2006-09-01 01:36:27.511776 IP 192.168.0.250 <http://192.168.0.250> > 
> 192.168.0.119 <http://192.168.0.119>: ICMP echo reply, id 60165, seq 
> 0, length 39
> 2006-09-01 01:36: 27.514256 IP 192.168.0.119 <http://192.168.0.119> > 
> 192.168.0.250 <http://192.168.0.250>: ICMP echo reply, id 60165, seq 
> 256, length 90
> 2006-09-01 01:36:32.497343 IP 192.168.0.250 <http://192.168.0.250> > 
> 192.168.0.119 <http://192.168.0.119>: ICMP echo reply, id 60165, seq 
> 0, length 39
> 2006-09-01 01:36:32.499682 IP 192.168.0.119 <http://192.168.0.119> > 
> 192.168.0.250 <http://192.168.0.250>: ICMP echo reply, id 60165, seq 
> 512, length 90
> 2006-09-01 01:36:34.829683 IP 192.168.0.250 <http://192.168.0.250> > 
> 192.168.0.119 <http://192.168.0.119>: ICMP echo reply, id 60165, seq 
> 0, length 37
> 2006-09-01 01:36:39.166263 IP 192.168.0.250 <http://192.168.0.250> > 
> 192.168.0.119 <http://192.168.0.119>: ICMP echo reply, id 60165, seq 
> 0, length 37
> 2006-09-01 01:36:41.219730 IP 192.168.0.250 <http://192.168.0.250> > 
> 192.168.0.119 <http://192.168.0.119>: ICMP echo reply, id 60165, seq 
> 0, length 43
> 2006-09-01 01:36:41.222004 IP 192.168.0.119 <http://192.168.0.119> > 
> 192.168.0.250 <http://192.168.0.250>: ICMP echo reply, id 60165, seq 
> 768, length 41
> 2006-09-01 01:36:59.823108 IP 192.168.0.250 <http://192.168.0.250> > 
> 192.168.0.119 <http://192.168.0.119>: ICMP echo reply, id 60165, seq 
> 0, length 52
> 2006-09-01 01:36:59.824779 IP 192.168.0.119 <http://192.168.0.119> > 
> 192.168.0.250 <http://192.168.0.250>: ICMP echo reply, id 60165, seq 
> 1024, length 547
> 2006-09-01 01:36:59.824803 IP 192.168.0.119 <http://192.168.0.119> > 
> 192.168.0.250 <http://192.168.0.250>: ICMP echo reply, id 60165, seq 
> 1280, length 547
> 2006-09-01 01:36:59.824825 IP 192.168.0.119 <http://192.168.0.119> > 
> 192.168.0.250 <http://192.168.0.250>: ICMP echo reply, id 60165, seq 
> 1536, length 547
> 2006-09-01 01:36:59.824844 IP 192.168.0.119 <http://192.168.0.119> > 
> 192.168.0.250 <http://192.168.0.250>: ICMP echo reply, id 60165, seq 
> 1792, length 420
> 2006-09-01 01:37:04.820877 arp who-has 192.168.0.119 
> <http://192.168.0.119> tell 192.168.0.250 <http://192.168.0.250>
> 2006-09-01 01:37:04.820910 arp reply 192.168.0.119 
> <http://192.168.0.119> is-at 00:0a:e4:35:ea:8e
>
> After convert to argus file and read with ra -
>
> /usr/local/stow/argusc-3rc43/bin/ra -nn -r 
> ~/i-Pcaps/ICMP-Research/icmpshell.arg
>    01:36:27.511558  e         2054      192.168.0.250 
> <http://192.168.0.250>          who      192.168.0.119 
> <http://192.168.0.119>               2        2          120           
> 84   CON
>    01:36:27.511776  e            1      250.0.168.192 
> <http://250.0.168.192>           ->      119.0.168.192 
> <http://119.0.168.192>               6        0          
> 451            0   ECR
>    01:36:27.514256  e            1      119.0.168.192 
> <http://119.0.168.192>            ->      250.0.168.192 
> <http://250.0.168.192>               1        0          
> 124            0   ECR
>    01:36:32.499682  e            1      119.0.168.192 
> <http://119.0.168.192>           ->      250.0.168.192 
> <http://250.0.168.192>               1        0          
> 124            0   ECR
>    01:36:41.222004  e            1      119.0.168.192 
> <http://119.0.168.192>           ->      250.0.168.192 
> <http://250.0.168.192>               1        0           
> 75            0   ECR
>    01:36:59.824779  e            1      119.0.168.192 
> <http://119.0.168.192>           ->      250.0.168.192 
> <http://250.0.168.192>               1        0          
> 581            0   ECR
>    01:36:59.824803  e            1      119.0.168.192 
> <http://119.0.168.192>           ->      250.0.168.192 
> <http://250.0.168.192>                1        0          
> 581            0   ECR
>    01:36:59.824825  e            1      119.0.168.192 
> <http://119.0.168.192>           ->      250.0.168.192 
> <http://250.0.168.192>               1        0          
> 581            0   ECR
>    01:36:59.824844  e            1      119.0.168.192 
> <http://119.0.168.192>           ->      250.0.168.192 
> <http://250.0.168.192>               1        0          
> 454            0   ECR
>    21:15:13.099275             man                  0      
> 0                       37      1       17       10           37      
> 1493508   STP
>
> The IP becomes backward(192.168.0.250 <http://192.168.0.250> becomes 
> 250.0.168.192 <http://250.0.168.192>). Let me know if you need the 
> pcap, I have tested with few pcap with icmp data and it seems to have 
> the same result.
>
> -- 
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>

More information about the argus mailing list