Pcap to Argus Data Oddness
Peter Van Epp
vanepp at sfu.ca
Fri May 11 13:03:59 EDT 2007
On Fri, May 11, 2007 at 09:01:34AM +0800, CS Lee wrote:
> Hey Peter,
>
> Greetings. I have sent this pcap file to Carter but it doesn't show problem
> to him when he generates argus data from the pcap attached. However when I
> tried with openbsd, freebsd and gentoo box to convert the pcap to argus
> data, the saddr and daddr becomes odd. Here's the data shown in tcpdump and
> argus in comparison -
>
> sudo tcpdump -ttttnnr icmpshell.pcap
> reading from file icmpshell.pcap, link-type EN10MB (Ethernet)
> 2006-09-01 01:36:27.511558 arp who-has 192.168.0.119 tell 192.168.0.250
> 2006-09-01 01:36:27.511600 arp reply 192.168.0.119 is-at 00:0a:e4:35:ea:8e
> 2006-09-01 01:36:27.511776 IP 192.168.0.250 > 192.168.0.119: ICMP echo
> reply, id 60165, seq 0, length 39
> 2006-09-01 01:36:27.514256 IP 192.168.0.119 > 192.168.0.250: ICMP echo
> reply, id 60165, seq 256, length 90
> 2006-09-01 01:36:32.497343 IP 192.168.0.250 > 192.168.0.119: ICMP echo
> reply, id 60165, seq 0, length 39
> 2006-09-01 01:36:32.499682 IP 192.168.0.119 > 192.168.0.250: ICMP echo
> reply, id 60165, seq 512, length 90
> 2006-09-01 01:36:34.829683 IP 192.168.0.250 > 192.168.0.119: ICMP echo
> reply, id 60165, seq 0, length 37
> 2006-09-01 01:36:39.166263 IP 192.168.0.250 > 192.168.0.119: ICMP echo
> reply, id 60165, seq 0, length 37
> 2006-09-01 01:36:41.219730 IP 192.168.0.250 > 192.168.0.119: ICMP echo
> reply, id 60165, seq 0, length 43
> 2006-09-01 01:36:41.222004 IP 192.168.0.119 > 192.168.0.250: ICMP echo
> reply, id 60165, seq 768, length 41
> 2006-09-01 01:36:59.823108 IP 192.168.0.250 > 192.168.0.119: ICMP echo
> reply, id 60165, seq 0, length 52
> 2006-09-01 01:36:59.824779 IP 192.168.0.119 > 192.168.0.250: ICMP echo
> reply, id 60165, seq 1024, length 547
> 2006-09-01 01:36:59.824803 IP 192.168.0.119 > 192.168.0.250: ICMP echo
> reply, id 60165, seq 1280, length 547
> 2006-09-01 01:36:59.824825 IP 192.168.0.119 > 192.168.0.250: ICMP echo
> reply, id 60165, seq 1536, length 547
> 2006-09-01 01:36:59.824844 IP 192.168.0.119 > 192.168.0.250: ICMP echo
> reply, id 60165, seq 1792, length 420
> 2006-09-01 01:37:04.820877 arp who-has 192.168.0.119 tell 192.168.0.250
> 2006-09-01 01:37:04.820910 arp reply 192.168.0.119 is-at 00:0a:e4:35:ea:8e
>
> After converting it into argus data, it looks like this -
>
> ra -nnr icmpshell.arg
> 01:36:27.511558 e 2054 192.168.0.250 who
> 192.168.0.119 2 2 120 84 CON
> 01:36:27.511776 e 1 250.0.168.192 ->
> 119.0.168.192 6 0 451 0 ECR
> 01:36:27.514256 e 1 119.0.168.192 ->
> 250.0.168.192 1 0 124 0 ECR
> 01:36:32.499682 e 1 119.0.168.192 ->
> 250.0.168.192 1 0 124 0 ECR
> 01:36:41.222004 e 1 119.0.168.192 ->
> 250.0.168.192 1 0 75 0 ECR
> 01:36:59.824779 e 1 119.0.168.192 ->
> 250.0.168.192 1 0 581 0 ECR
> 01:36:59.824803 e 1 119.0.168.192 ->
> 250.0.168.192 1 0 581 0 ECR
> 01:36:59.824825 e 1 119.0.168.192 ->
> 250.0.168.192 1 0 581 0 ECR
> 01:36:59.824844 e 1 119.0.168.192 ->
> 250.0.168.192 1 0 454 0 ECR
> 21:15:13.099275 man 0
> 0 37 1 17 10 37
> 1493508 STP
>
> The address 192.168.0.250 becomes 250.0.168.192 and 192.168.0.119 becomes
> 119.0.168.192. Since I read that you are running argus on various platform,
> then I think it would be good to verify with you, I just want to confirm if
> this odd behavior only happens to me. Hereby I attach with the pcap and
> argus data.
>
> Thanks.
>
>
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
You are correct, clients.rc.44 has an endian problem:
FreeBSD 6.2 on Intel:
2.0.6:
%argus_bpf -r icmpshell.pcap -w icmpshell.argus2
%ra -r icmpshell.argus2
11 May 07 15:30:38 man 229.97.122.203 v2.0 1 0 0 0 0 0 STA
31 Aug 06 10:36:32 icmp 192.168.0.119 -> 192.168.0.250 1 0 124 0 ECR
31 Aug 06 10:36:27 icmp 192.168.0.119 -> 192.168.0.250 1 0 124 0 ECR
3.0 clients.rc.44 on FreeBSD (wrong, note the arp is correct just icmp isn't
correctly converted from network byte order):
%ra3 -r icmpshell.argus3 -n
10:36:27.511776 e icmp 250.0.168.192 -> 119.0.168.192 2 0 146 0 ECR
10:36:27.511558 e arp 192.168.0.250 who 192.168.0.119 1 1 60 42 CON
10:36:27.514256 e icmp 119.0.168.192 -> 250.0.168.192 1 0 124 0 ECR
10:36:32.499682 e icmp 119.0.168.192 -> 250.0.168.192 1 0 124 0 ECR
clients.rc.44 on Mac OS 10 on PowerPC:
test4:~ vanepp$ ra3 -r icmpshell.argus3 -n
10:36:27.511776 icmp 192.168.0.250 -> 192.168.0.119 2 0 146 0 ECO
10:36:27.511558 arp 192.168.0.250 who 192.168.0.119 1 1 60 42 CON
10:36:27.514256 icmp 192.168.0.119 -> 192.168.0.250 1 0 124 0 ECO
10:36:32.499682 icmp 192.168.0.119 -> 192.168.0.250 1 0 124 0 ECO
It appears the the endian macros aren't being invoced correctly on
the Intel boxes for at least icmp.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list