Pcap to Argus Data Oddness
Carter Bullard
carter at qosient.com
Fri May 11 14:02:39 EDT 2007
Can you send me the argus output files, so I can debug?
Carter
On May 11, 2007, at 1:03 PM, Peter Van Epp wrote:
> On Fri, May 11, 2007 at 09:01:34AM +0800, CS Lee wrote:
>> Hey Peter,
>>
>> Greetings. I have sent this pcap file to Carter but it doesn't
>> show problem
>> to him when he generates argus data from the pcap attached.
>> However when I
>> tried with openbsd, freebsd and gentoo box to convert the pcap to
>> argus
>> data, the saddr and daddr becomes odd. Here's the data shown in
>> tcpdump and
>> argus in comparison -
>>
>> sudo tcpdump -ttttnnr icmpshell.pcap
>> reading from file icmpshell.pcap, link-type EN10MB (Ethernet)
>> 2006-09-01 01:36:27.511558 arp who-has 192.168.0.119 tell
>> 192.168.0.250
>> 2006-09-01 01:36:27.511600 arp reply 192.168.0.119 is-at
>> 00:0a:e4:35:ea:8e
>> 2006-09-01 01:36:27.511776 IP 192.168.0.250 > 192.168.0.119: ICMP
>> echo
>> reply, id 60165, seq 0, length 39
>> 2006-09-01 01:36:27.514256 IP 192.168.0.119 > 192.168.0.250: ICMP
>> echo
>> reply, id 60165, seq 256, length 90
>> 2006-09-01 01:36:32.497343 IP 192.168.0.250 > 192.168.0.119: ICMP
>> echo
>> reply, id 60165, seq 0, length 39
>> 2006-09-01 01:36:32.499682 IP 192.168.0.119 > 192.168.0.250: ICMP
>> echo
>> reply, id 60165, seq 512, length 90
>> 2006-09-01 01:36:34.829683 IP 192.168.0.250 > 192.168.0.119: ICMP
>> echo
>> reply, id 60165, seq 0, length 37
>> 2006-09-01 01:36:39.166263 IP 192.168.0.250 > 192.168.0.119: ICMP
>> echo
>> reply, id 60165, seq 0, length 37
>> 2006-09-01 01:36:41.219730 IP 192.168.0.250 > 192.168.0.119: ICMP
>> echo
>> reply, id 60165, seq 0, length 43
>> 2006-09-01 01:36:41.222004 IP 192.168.0.119 > 192.168.0.250: ICMP
>> echo
>> reply, id 60165, seq 768, length 41
>> 2006-09-01 01:36:59.823108 IP 192.168.0.250 > 192.168.0.119: ICMP
>> echo
>> reply, id 60165, seq 0, length 52
>> 2006-09-01 01:36:59.824779 IP 192.168.0.119 > 192.168.0.250: ICMP
>> echo
>> reply, id 60165, seq 1024, length 547
>> 2006-09-01 01:36:59.824803 IP 192.168.0.119 > 192.168.0.250: ICMP
>> echo
>> reply, id 60165, seq 1280, length 547
>> 2006-09-01 01:36:59.824825 IP 192.168.0.119 > 192.168.0.250: ICMP
>> echo
>> reply, id 60165, seq 1536, length 547
>> 2006-09-01 01:36:59.824844 IP 192.168.0.119 > 192.168.0.250: ICMP
>> echo
>> reply, id 60165, seq 1792, length 420
>> 2006-09-01 01:37:04.820877 arp who-has 192.168.0.119 tell
>> 192.168.0.250
>> 2006-09-01 01:37:04.820910 arp reply 192.168.0.119 is-at
>> 00:0a:e4:35:ea:8e
>>
>> After converting it into argus data, it looks like this -
>>
>> ra -nnr icmpshell.arg
>> 01:36:27.511558 e 2054 192.168.0.250 who
>> 192.168.0.119 2 2 120 84
>> CON
>> 01:36:27.511776 e 1 250.0.168.192 ->
>> 119.0.168.192 6 0 451 0
>> ECR
>> 01:36:27.514256 e 1 119.0.168.192 ->
>> 250.0.168.192 1 0 124 0
>> ECR
>> 01:36:32.499682 e 1 119.0.168.192 ->
>> 250.0.168.192 1 0 124 0
>> ECR
>> 01:36:41.222004 e 1 119.0.168.192 ->
>> 250.0.168.192 1 0 75 0
>> ECR
>> 01:36:59.824779 e 1 119.0.168.192 ->
>> 250.0.168.192 1 0 581 0
>> ECR
>> 01:36:59.824803 e 1 119.0.168.192 ->
>> 250.0.168.192 1 0 581 0
>> ECR
>> 01:36:59.824825 e 1 119.0.168.192 ->
>> 250.0.168.192 1 0 581 0
>> ECR
>> 01:36:59.824844 e 1 119.0.168.192 ->
>> 250.0.168.192 1 0 454 0
>> ECR
>> 21:15:13.099275 man 0
>> 0 37 1 17 10 37
>> 1493508 STP
>>
>> The address 192.168.0.250 becomes 250.0.168.192 and 192.168.0.119
>> becomes
>> 119.0.168.192. Since I read that you are running argus on various
>> platform,
>> then I think it would be good to verify with you, I just want to
>> confirm if
>> this odd behavior only happens to me. Hereby I attach with the
>> pcap and
>> argus data.
>>
>> Thanks.
>>
>>
>>
>> --
>> Best Regards,
>>
>> CS Lee<geekooL[at]gmail.com>
>
> You are correct, clients.rc.44 has an endian problem:
>
> FreeBSD 6.2 on Intel:
>
> 2.0.6:
>
> %argus_bpf -r icmpshell.pcap -w icmpshell.argus2
> %ra -r icmpshell.argus2
> 11 May 07 15:30:38 man 229.97.122.203
> v2.0 1 0 0 0 0
> 0 STA
> 31 Aug 06 10:36:32 icmp 192.168.0.119 ->
> 192.168.0.250 1 0 124 0 ECR
> 31 Aug 06 10:36:27 icmp 192.168.0.119 ->
> 192.168.0.250 1 0 124 0 ECR
>
> 3.0 clients.rc.44 on FreeBSD (wrong, note the arp is correct just
> icmp isn't
> correctly converted from network byte order):
>
> %ra3 -r icmpshell.argus3 -n
> 10:36:27.511776 e icmp 250.0.168.192 -
> > 119.0.168.192 2 0
> 146 0 ECR
> 10:36:27.511558 e arp 192.168.0.250
> who 192.168.0.119 1 1
> 60 42 CON
> 10:36:27.514256 e icmp 119.0.168.192 -
> > 250.0.168.192 1 0
> 124 0 ECR
> 10:36:32.499682 e icmp 119.0.168.192 -
> > 250.0.168.192 1 0
> 124 0 ECR
>
> clients.rc.44 on Mac OS 10 on PowerPC:
>
> test4:~ vanepp$ ra3 -r icmpshell.argus3 -n
> 10:36:27.511776 icmp 192.168.0.250 -
> > 192.168.0.119 2 0
> 146 0 ECO
> 10:36:27.511558 arp 192.168.0.250
> who 192.168.0.119 1 1
> 60 42 CON
> 10:36:27.514256 icmp 192.168.0.119 -
> > 192.168.0.250 1 0
> 124 0 ECO
> 10:36:32.499682 icmp 192.168.0.119 -
> > 192.168.0.250 1 0
> 124 0 ECO
>
> It appears the the endian macros aren't being invoced correctly on
> the Intel boxes for at least icmp.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070511/cfdbdd27/attachment.html>
More information about the argus
mailing list