stcpb and dtcpb
CS Lee
geek00l at gmail.com
Fri Nov 16 09:57:54 EST 2007
Hi Carter,
Thanks for the explanation.
I came across this packet dump that available at taosecurity site. And
there's one stcpb value which I found weird and need your verification. Here
I attach together with the argus file too that I have generated from the
pcap and I'm using the latest argus.
Here's the ra output -
ra -Z b -L0 -nnr ph.1.arg3 -s saddr sport daddr dport stcpb dtcpb sappbytes
- src host 192.168.2.115 and dst port 2510
SrcAddr Sport DstAddr Dport SrcTCPBase
DstTCPBase SAppBytes
192.168.2.115.43598 192.168.2.101.2510 2102413641
3954869768 0
192.168.2.115.43598 192.168.2.101.2510 2102413641
3954869768 48
192.168.2.115.43598 192.168.2.101.2510 2102413641
3954869768 48
192.168.2.115.43598 192.168.2.101.2510 *2102413737*
3954869769 0
If you notice the last record with the stcpb value of 2102413737 converting
to 0x7D5049A9. When I do this with tcpdump -
tcpdump -ttttnnr ph.1.lpc 'tcp[4:4]=0x7D5049A9'
reading from file ph.1.lpc, link-type EN10MB (Ethernet)
No output at all, while I can get the value of other stcpb and dtcpb right
with tcpdump bpf filter.
The pcap can be downloaded here -
http://www.taosecurity.com/ph.1.lpc
And I attach with the argus file I have generated which is ph.1.arg3. I have
also tried with argus 2 like richard did but I think argus 3 has more
accurate flow construction except this stcpb value which I'm scratching my
head to figure.
Thanks.
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071116/2849be8a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ph.1.arg3
Type: application/octet-stream
Size: 6536 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071116/2849be8a/attachment.obj>
More information about the argus
mailing list