Fwd: pppoe

CS Lee geek00l at gmail.com
Sat Aug 8 22:23:01 EDT 2009


hi Carter,

I think this is pppoe encapsulated traffics, what Jenkinson want would be
something like you have done for GRE, where argus client able to decode them
and look inside its ip endpoint + layer above information. Apparently argus
client just takes this traffic as layer 2 matrix.

Cheers

---------- Forwarded message ----------
From: Jenkinson, John P (SAIC) <John.Jenkinson at bp.com>
Date: Sun, Aug 9, 2009 at 3:38 AM
Subject: RE: pppoe
To: CS Lee <geek00l at gmail.com>


 indeed
snort sees IP traffic as well
  11:25:37.627842 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:37.671919 PPPoE  [ses 0x45a8] IP 209.165.189.18.cpudpencap >
66.230.109.38.49339: UDP, length 76
    0x0000:  1100 45a8 006a 0021 4500 0068 4296 0000  ..E..j.!E..hB...
    0x0010:  f311 462a d1a5 bd12 42e6 6d26 0aba c0bb  ..F*....B.m&....
    0x0020:  0054 6092 b2e5 9363 0000 0386 117c dbdd  .T`....c.....|..
    0x0030:  3ff2 0eb5 3010 484d 6fdf 742b f855 54fb  ?...0.HMo.t+.UT.
    0x0040:  fa61 c28a 9e95 1491 47b7 07aa 436a 3a7b  .a......G...Cj:{
    0x0050:  15ff e1d0 3a53 8cd3 a3c4 7aab a390 334c  ....:S....z...3L
    0x0060:  2916 703d 43f6 025a b40b f4af 6fce 7b23  ).p=C..Z....o.{#
11:25:37.867119 PPPoE  [ses 0x45a8] IP 66.230.109.38.49339 >
209.165.189.18.cpudpencap: UDP, length 76
    0x0000:  1100 45a8 006a 0021 4500 0068 faff 0000  ..E..j.!E..h....
    0x0010:  fe11 82c0 42e6 6d26 d1a5 bd12 c0bb 0aba  ....B.m&........
    0x0020:  0054 d49e f785 2c4e 0000 03e1 1705 3dff  .T....,N......=.
    0x0030:  e97d 0407 99df 4ea7 a8e6 e600 5459 665b  .}....N.....TYf[
    0x0040:  dd44 017e 59fd 7f04 2ace 9575 3858 6102  .D.~Y...*..u8Xa.
    0x0050:  436b 5b12 a9e2 47b1 203c 97eb bbb8 667b  Ck[...G..<....f{
    0x0060:  270d 5a0d 7e85 9d84 1569 7117 b53f 2f56  '.Z.~....iq..?/V
11:25:37.879878 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:37.885767 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:37.889949 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:37.942936 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:37.942993 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:37.966815 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.231954 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.234886 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.248917 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.254834 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.255817 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.314921 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.317910 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.477834 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.671967 PPPoE  [ses 0x45a8] IP 209.165.189.18.cpudpencap >
66.230.109.38.49339: UDP, length 76
    0x0000:  1100 45a8 006a 0021 4500 0068 4297 0000  ..E..j.!E..hB...
    0x0010:  f311 4629 d1a5 bd12 42e6 6d26 0aba c0bb  ..F)....B.m&....
    0x0020:  0054 826a b2e5 9363 0000 0387 a390 334c  .T.j...c......3L
    0x0030:  2916 703d 5ae0 2267 b873 cce9 5e01 ccc2  ).p=Z."g.s..^...
    0x0040:  e740 cc8d 4b81 15c9 700f c279 784b b3c5  . at ..K...p..yxK..
    0x0050:  415a d19c 0195 1c68 d587 5152 14c4 c007  AZ.....h..QR....
    0x0060:  c1f3 863e 2235 41ef d184 1c7b 9693 b9ff  ...>"5A....{....
11:25:38.681840 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.867112 PPPoE  [ses 0x45a8] IP 66.230.109.38.49339 >
209.165.189.18.cpudpencap: UDP, length 76
    0x0000:  1100 45a8 006a 0021 4500 0068 fb00 0000  ..E..j.!E..h....
    0x0010:  fe11 82bf 42e6 6d26 d1a5 bd12 c0bb 0aba  ....B.m&........
    0x0020:  0054 4130 f785 2c4e 0000 03e2 bbb8 667b  .TA0..,N......f{
    0x0030:  270d 5a0d 2d8b b4ab 86bb cd63 ccde 4c11  '.Z.-......c..L.
    0x0040:  004b b0b5 9391 7951 59cd a3b7 c16f 42ab  .K....yQY....oB.
    0x0050:  426a 5b8c a80c a321 8e96 67b2 766b 3e68  Bj[....!..g.vk>h
    0x0060:  20a7 1dab c84b a9f2 d784 36f3 ce72 b84f  .....K....6..r.O
11:25:38.899871 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............



 ------------------------------
*From:* CS Lee [mailto:geek00l at gmail.com]
*Sent:* Saturday, August 08, 2009 11:02 AM

*To:* Jenkinson, John P (SAIC)
*Subject:* Re: pppoe

hi Jenkinson,

To verify if you are seeing ip traffic(which it should), kindly run tcpdump
and see if you see ip traffic.

On Sun, Aug 9, 2009 at 2:41 AM, Jenkinson, John P (SAIC) <
John.Jenkinson at bp.com> wrote:

> indeed
>
>
> -----Original Message-----
> From: CS Lee [mailto:geek00l at gmail.com]
>  Sent: Sat 8/8/2009 10:05 AM
> To: Jenkinson, John P (SAIC)
> Subject: Re: pppoe
>
> hi Jenkinson,
>
> Can you visualize your setup? When you say tap you mean inline tap?
>
> PPPOE modem ------------ Tap --------------- Network Switch
>
> Is your setup something like this? And you have argus box connected to the
> Tap and listen to the traffic?
>
>
> On Sun, Aug 9, 2009 at 1:37 AM, Jenkinson, John P (SAIC) <
> John.Jenkinson at bp.com> wrote:
>
>
>        the network switch  dials and does the pppoe authentication.
>        argus and argus clients are the lastest V3 betas as of yesterday
> from Carter's site.
>        the tap feeds the output to a hub/switch and one output of that
> switch goes to the argus box.
>        next step is to add another interface to the argus box, bond the two
> tap interfaces together and get the hub/switch
>        out of the configuration.
>
> ________________________________
>
>                From: CS Lee [mailto:geek00l at gmail.com]
>
>        Sent: Saturday, August 08, 2009 9:29 AM
>
>        To: Jenkinson, John P (SAIC)
>
>        Subject: Re: pppoe
>
>
>        hi Jenkinson,
>
>        Do you use your linux box to dial the modem, or just have the tap in
> between modem and the dialer, and having the argus box connected to the tap?
>
>
>        On Sun, Aug 9, 2009 at 12:56 AM, Jenkinson, John P (SAIC) <
> John.Jenkinson at bp.com> wrote:
>
>
>                of course
>
>                command line
>                /usr/local/sbin/argus -d -i eth1  -m -w
> /home/netlogs/argus/argus.log &
>
>
>                the machine is fedora 11
>                eth1 is a readonly (ip 0.0.0.0) configured up connected to a
> finstar ethernet tap.
>                the tap is inline from the output of the DSL modem to the
> network switch feeding the rest of the machines at the location
>
>
> ________________________________
>
>                From: CS Lee [mailto:geek00l at gmail.com]
>                Sent: Saturday, August 08, 2009 8:20 AM
>                To: Jenkinson, John P (SAIC)
>                Cc: Argus
>                Subject: pppoe
>
>
>                hey John,
>
>                What's your argus command line? And which interface are you
> running it on?
>
>                --
>                Best Regards,
>
>                CS Lee<geek00L[at]gmail.com>
>
>                http://geek00l.blogspot.com
>                http://defcraft.net
>
>
>
>
>
>        --
>        Best Regards,
>
>        CS Lee<geek00L[at]gmail.com>
>
>        http://geek00l.blogspot.com
>        http://defcraft.net
>
>
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
>


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net



-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090809/5ce4f4e5/attachment.html>


More information about the argus mailing list