Pcap to Argus Data Oddness

Carter Bullard carter at qosient.com
Fri May 11 16:16:45 EDT 2007 

Gentle people,
I found the problem, and its in argus, so its very good we found this  
before
release.  I have new code already on the server that corrects this  
issue.
I'm not changing the version numbers, as we're trying to get all the  
supporting
files, like the rpm spec, etc, so please pick up the new code by  
getting whatever
argus and argus-clients is in dev directory.

    ftp://qosient.com/dev/argus-3.0

Thanks for being diligent!!!!!!!!!!

Carter


On May 11, 2007, at 2:08 PM, CS Lee wrote:

> Carter,
>
> Here's the pcap and the argus file that generated from it. Thanks.
>
> ---------- Forwarded message ----------
> From: CS Lee < geek00l at gmail.com>
> Date: May 11, 2007 9:01 AM
> Subject: Pcap to Argus Data Oddness
> To: vanepp at sfu.ca
>
> Hey Peter,
>
> Greetings. I have sent this pcap file to Carter but it doesn't show  
> problem to him when he generates argus data from the pcap attached.  
> However when I tried with openbsd, freebsd and gentoo box to  
> convert the pcap to argus data, the saddr and daddr becomes odd.  
> Here's the data shown in tcpdump and argus in comparison -
>
> sudo tcpdump -ttttnnr icmpshell.pcap
> reading from file icmpshell.pcap, link-type EN10MB (Ethernet)
> 2006-09-01 01:36:27.511558 arp who-has 192.168.0.119 tell  
> 192.168.0.250
> 2006-09-01 01:36:27.511600 arp reply 192.168.0.119 is-at  
> 00:0a:e4:35:ea:8e
> 2006-09-01 01:36: 27.511776 IP 192.168.0.250 > 192.168.0.119: ICMP  
> echo reply, id 60165, seq 0, length 39
> 2006-09-01 01:36:27.514256 IP 192.168.0.119 > 192.168.0.250: ICMP  
> echo reply, id 60165, seq 256, length 90
> 2006-09-01 01:36:32.497343 IP 192.168.0.250 > 192.168.0.119: ICMP  
> echo reply, id 60165, seq 0, length 39
> 2006-09-01 01:36:32.499682 IP 192.168.0.119 > 192.168.0.250: ICMP  
> echo reply, id 60165, seq 512, length 90
> 2006-09-01 01:36:34.829683 IP 192.168.0.250 > 192.168.0.119: ICMP  
> echo reply, id 60165, seq 0, length 37
> 2006-09-01 01:36:39.166263 IP 192.168.0.250 > 192.168.0.119: ICMP  
> echo reply, id 60165, seq 0, length 37
> 2006-09-01 01:36:41.219730 IP 192.168.0.250 > 192.168.0.119: ICMP  
> echo reply, id 60165, seq 0, length 43
> 2006-09-01 01:36:41.222004 IP 192.168.0.119 > 192.168.0.250: ICMP  
> echo reply, id 60165, seq 768, length 41
> 2006-09-01 01:36:59.823108 IP 192.168.0.250 > 192.168.0.119: ICMP  
> echo reply, id 60165, seq 0, length 52
> 2006-09-01 01:36:59.824779 IP 192.168.0.119 > 192.168.0.250: ICMP  
> echo reply, id 60165, seq 1024, length 547
> 2006-09-01 01:36:59.824803 IP 192.168.0.119 > 192.168.0.250: ICMP  
> echo reply, id 60165, seq 1280, length 547
> 2006-09-01 01:36:59.824825 IP 192.168.0.119 > 192.168.0.250: ICMP  
> echo reply, id 60165, seq 1536, length 547
> 2006-09-01 01:36:59.824844 IP 192.168.0.119 > 192.168.0.250: ICMP  
> echo reply, id 60165, seq 1792, length 420
> 2006-09-01 01:37:04.820877 arp who-has 192.168.0.119 tell  
> 192.168.0.250
> 2006-09-01 01:37: 04.820910 arp reply 192.168.0.119 is-at  
> 00:0a:e4:35:ea:8e
>
> After converting it into argus data, it looks like this -
>
> ra -nnr icmpshell.arg
>    01:36:27.511558  e         2054      192.168.0.250           
> who      192.168.0.119               2        2           
> 120           84   CON
>    01:36:27.511776  e            1      250.0.168.192           - 
> >      119.0.168.192               6        0           
> 451            0   ECR
>    01:36: 27.514256  e            1      119.0.168.192            - 
> >      250.0.168.192               1        0           
> 124            0   ECR
>    01:36:32.499682   e            1      119.0.168.192            - 
> >      250.0.168.192               1        0           
> 124            0   ECR
>    01:36:41.222004   e            1      119.0.168.192           - 
> >      250.0.168.192               1        0            
> 75            0   ECR
>    01:36:59.824779  e            1      119.0.168.192           - 
> >      250.0.168.192               1        0           
> 581            0   ECR
>    01:36:59.824803  e            1      119.0.168.192           - 
> >      250.0.168.192                1        0           
> 581            0   ECR
>    01:36:59.824825  e            1      119.0.168.192            - 
> >      250.0.168.192                1        0           
> 581            0   ECR
>    01:36:59.824844  e            1      119.0.168.192            - 
> >      250.0.168.192               1        0           
> 454            0   ECR
>    21:15:13.099275             man                  0       
> 0                       37      1       17       10            
> 37      1493508   STP
>
> The address 192.168.0.250 becomes 250.0.168.192 and 192.168.0.119  
> becomes 119.0.168.192. Since I read that you are running argus on  
> various platform, then I think it would be good to verify with you,  
> I just want to confirm if this odd behavior only happens to me.  
> Hereby I attach with the pcap and argus data.
>
> Thanks.
>
>
>
> -- 
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
>
>
> -- 
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
> <icmpshell.arg>
> <icmpshell.pcap>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070511/73056df6/attachment.html>

More information about the argus mailing list