stcpb and dtcpb

CS Lee geek00l at gmail.com
Sat Nov 17 11:07:57 EST 2007 

Hi Carter,

The value should be 2102413641 which is 0x7D504949. Just let you know I get
this result in FreeBSD 6.2 Stable, and when I try the same thing in ubuntu
7.10, I got this -

ra -nnr ph.1.arg3 -s stcpb dtcpb sappbytes dappbytes - src 192.168.2.115 and
dst port 2510
  2102413641   3954869768            0            0
  2102413641   3954869768           96            0
  2102413641   3954869768            0            0

The flow reporting interval can affect the flow output where we have seen
two 48 sappbytes that generated on fbsd platform but that doesn't matter as
the stcpb value should be the same.

The dtcpb value is correct with the examination of this -

tcpdump -XXttttnnr ph.1.lpc 'tcp[4:4]=3954869768'
reading from file ph.1.lpc, link-type EN10MB (Ethernet)
2007-11-15 02:24:05.304364 IP 192.168.2.101.2510 > 192.168.2.115.43598: S
3954869768:3954869768(0) ack 2102413642 win 5792 <mss 1460,sackOK,timestamp
4752430 3037764,nop,wscale 2>
        0x0000:  0013 024c 302d 0013 024c 302d 0800 4500  ...L0-...L0-..E.
        0x0010:  003c 0000 4000 4006 b493 c0a8 0265 c0a8  .<.. at .@......e..
        0x0020:  0273 09ce aa4e ebba 8608 7d50 494a a012  .s...N....}PIJ..
        0x0030:  16a0 dfc8 0000 0204 05b4 0402 080a 0048  ...............H
        0x0040:  842e 002e 5a44 0103 0302                 ....ZD....


And for the last entry in the output that i sent you previously -

192.168.2.115.43598 192.168.2.101.2510 2102413737 3954869769 0

I suspect it gets this value by adding the 96 bytes

2102413641+96=2102413737

When I try to check out the dtcpb value which is 3954869769 with tcpdump -

tcpdump -XXttttnnr ph.1.lpc 'tcp[4:4]=3954869769'
reading from file ph.1.lpc, link-type EN10MB (Ethernet)
2007-11-15 02:25:15.845325 IP 192.168.2.101.2510 > 192.168.2.115.43598: .
ack 2102413690 win 1448 <nop,nop,timestamp 4770065 3055661>
        0x0000:  0013 024c 302d 0013 024c 302d 0800 4500  ...L0-...L0-..E.
        0x0010:  0034 0227 4000 4006 b274 c0a8 0265 c0a8  .4.'@. at ..t...e..
        0x0020:  0273 09ce aa4e ebba 8609 7d50 497a 8010  .s...N....}PIz..
        0x0030:  05a8 948b 0000 0101 080a 0048 c911 002e  ...........H....
        0x0040:  a02d                                     .-
2007-11-15 02:25:33.690325 IP 192.168.2.101.2510 > 192.168.2.115.43598: .
ack 49 win 1448 <nop,nop,timestamp 4774526 3060172>
        0x0000:  0013 024c 302d 0013 024c 302d 0800 4500  ...L0-...L0-..E.
        0x0010:  0034 0228 4000 4006 b273 c0a8 0265 c0a8  .4.(@. at ..s...e..
        0x0020:  0273 09ce aa4e ebba 8609 7d50 49aa 8010  .s...N....}PI...
        0x0030:  05a8 714f 0000 0101 080a 0048 da7e 002e  ..qO.......H.~..
        0x0040:  b1cc                                     ..
2007-11-15 02:26:29.344608 IP 192.168.2.101.2510 > 192.168.2.115.43598: F
0:0(0) ack 50 win 1448 <nop,nop,timestamp 4788439 3076840>
        0x0000:  0013 024c 302d 0013 024c 302d 0800 4500  ...L0-...L0-..E.
        0x0010:  0034 0229 4000 4006 b272 c0a8 0265 c0a8  .4.)@. at ..r...e..
        0x0020:  0273 09ce aa4e ebba 8609 7d50 49ab 8011  .s...N....}PI...
        0x0030:  05a8 f9d7 0000 0101 080a 0049 10d7 002e  ...........I....
        0x0040:  f2e8                                     ..

So the value is correct. I need to be conformed with the stcpb and dtcpb
flow metrics for the best use of it.

Thanks carter.



On 11/17/07, Carter Bullard <carter at qosient.com> wrote:
>
> So is the value 0x7D5049A8?
> Carter
>
> Carter Bullard
> QoSient LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
> -----Original Message-----
> From: "CS Lee" <geek00l at gmail.com>
>
> Date: Fri, 16 Nov 2007 14:57:54
> To:Argus <argus-info at lists.andrew.cmu.edu>
> Subject: [ARGUS] stcpb and dtcpb
>
>
> Hi Carter,
>
> Thanks for the explanation.
>
> I came across this packet dump that available at taosecurity site. And
> there's one stcpb value which I found weird and need your verification. Here
> I attach together with the argus file too that I have generated from the
> pcap and I'm using the latest argus.
>
> Here's the ra output -
>
> ra -Z b -L0 -nnr ph.1.arg3 -s saddr sport daddr dport stcpb dtcpb
> sappbytes - src host 192.168.2.115 <http://192.168.2.115>  and dst port
> 2510
> SrcAddr Sport DstAddr Dport SrcTCPBase DstTCPBase SAppBytes
> 192.168.2.115.43598 192.168.2.101.2510 2102413641 3954869768 0
> 192.168.2.115.43598 192.168.2.101.2510 2102413641 3954869768 48
> 192.168.2.115.43598 192.168.2.101.2510 2102413641 3954869768 48
> 192.168.2.115.43598 192.168.2.101.2510 2102413737 3954869769 0
>
> If you notice the last record with the stcpb value of 2102413737
> converting to 0x7D5049A9. When I do this with tcpdump -
>
> tcpdump -ttttnnr ph.1.lpc 'tcp[4:4]=0x7D5049A9'
> reading from file ph.1.lpc, link-type EN10MB (Ethernet)
>
> No output at all, while I can get the value of other stcpb and dtcpb right
> with tcpdump bpf filter.
>
> The pcap can be downloaded here -
>
> http://www.taosecurity.com/ph.1.lpc <http://www.taosecurity.com/ph.1.lpc>
>
> And I attach with the argus file I have generated which is ph.1.arg3. I
> have also tried with argus 2 like richard did but I think argus 3 has more
> accurate flow construction except this stcpb value which I'm scratching my
> head to figure.
>
> Thanks.
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
>
> http://geek00l.blogspot.com <http://geek00l.blogspot.com>




-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>

http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071118/0057b613/attachment.html>

More information about the argus mailing list