Fwd: pppoe
Carter Bullard
carter at qosient.com
Sun Aug 9 10:18:29 EDT 2009
Hmmm, PPPoE decoding has worked well in the past. We just
see is it as an encapsulation. But the PPPoE decoder is returning
zero. I'll need a packet trace to see what is up.
Carter
On Aug 8, 2009, at 10:23 PM, CS Lee wrote:
> hi Carter,
>
> I think this is pppoe encapsulated traffics, what Jenkinson want
> would be something like you have done for GRE, where argus client
> able to decode them and look inside its ip endpoint + layer above
> information. Apparently argus client just takes this traffic as
> layer 2 matrix.
>
> Cheers
>
> ---------- Forwarded message ----------
> From: Jenkinson, John P (SAIC) <John.Jenkinson at bp.com>
> Date: Sun, Aug 9, 2009 at 3:38 AM
> Subject: RE: pppoe
> To: CS Lee <geek00l at gmail.com>
>
>
> indeed
> snort sees IP traffic as well
> 11:25:37.627842 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:37.671919 PPPoE [ses 0x45a8] IP 209.165.189.18.cpudpencap >
> 66.230.109.38.49339: UDP, length 76
> 0x0000: 1100 45a8 006a 0021 4500 0068 4296 0000 ..E..j.!E..hB...
> 0x0010: f311 462a d1a5 bd12 42e6 6d26 0aba c0bb ..F*....B.m&....
> 0x0020: 0054 6092 b2e5 9363 0000 0386 117c dbdd .T`....c.....|..
> 0x0030: 3ff2 0eb5 3010 484d 6fdf 742b f855 54fb ?...0.HMo.t+.UT.
> 0x0040: fa61 c28a 9e95 1491 47b7 07aa 436a 3a7b .a......G...Cj:{
> 0x0050: 15ff e1d0 3a53 8cd3 a3c4 7aab a390 334c ....:S....z...3L
> 0x0060: 2916 703d 43f6 025a b40b f4af 6fce 7b23 ).p=C..Z....o.{#
> 11:25:37.867119 PPPoE [ses 0x45a8] IP 66.230.109.38.49339 >
> 209.165.189.18.cpudpencap: UDP, length 76
> 0x0000: 1100 45a8 006a 0021 4500 0068 faff 0000 ..E..j.!E..h....
> 0x0010: fe11 82c0 42e6 6d26 d1a5 bd12 c0bb 0aba ....B.m&........
> 0x0020: 0054 d49e f785 2c4e 0000 03e1 1705 3dff .T....,N......=.
> 0x0030: e97d 0407 99df 4ea7 a8e6 e600 5459 665b .}....N.....TYf[
> 0x0040: dd44 017e 59fd 7f04 2ace 9575 3858 6102 .D.~Y...*..u8Xa.
> 0x0050: 436b 5b12 a9e2 47b1 203c 97eb bbb8 667b Ck[...G..<....f{
> 0x0060: 270d 5a0d 7e85 9d84 1569 7117 b53f 2f56 '.Z.~....iq..?/V
> 11:25:37.879878 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:37.885767 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:37.889949 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:37.942936 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:37.942993 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:37.966815 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:38.231954 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:38.234886 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:38.248917 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:38.254834 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:38.255817 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:38.314921 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:38.317910 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:38.477834 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:38.671967 PPPoE [ses 0x45a8] IP 209.165.189.18.cpudpencap >
> 66.230.109.38.49339: UDP, length 76
> 0x0000: 1100 45a8 006a 0021 4500 0068 4297 0000 ..E..j.!E..hB...
> 0x0010: f311 4629 d1a5 bd12 42e6 6d26 0aba c0bb ..F)....B.m&....
> 0x0020: 0054 826a b2e5 9363 0000 0387 a390 334c .T.j...c......3L
> 0x0030: 2916 703d 5ae0 2267 b873 cce9 5e01 ccc2 ).p=Z."g.s..^...
> 0x0040: e740 cc8d 4b81 15c9 700f c279 784b b3c5 . at ..K...p..yxK..
> 0x0050: 415a d19c 0195 1c68 d587 5152 14c4 c007 AZ.....h..QR....
> 0x0060: c1f3 863e 2235 41ef d184 1c7b 9693 b9ff ...>"5A....{....
> 11:25:38.681840 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
> 11:25:38.867112 PPPoE [ses 0x45a8] IP 66.230.109.38.49339 >
> 209.165.189.18.cpudpencap: UDP, length 76
> 0x0000: 1100 45a8 006a 0021 4500 0068 fb00 0000 ..E..j.!E..h....
> 0x0010: fe11 82bf 42e6 6d26 d1a5 bd12 c0bb 0aba ....B.m&........
> 0x0020: 0054 4130 f785 2c4e 0000 03e2 bbb8 667b .TA0..,N......f{
> 0x0030: 270d 5a0d 2d8b b4ab 86bb cd63 ccde 4c11 '.Z.-......c..L.
> 0x0040: 004b b0b5 9391 7951 59cd a3b7 c16f 42ab .K....yQY....oB.
> 0x0050: 426a 5b8c a80c a321 8e96 67b2 766b 3e68 Bj[....!..g.vk>h
> 0x0060: 20a7 1dab c84b a9f2 d784 36f3 ce72 b84f .....K....6..r.O
> 11:25:38.899871 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
> 0x0000: 1109 0000 000c 0103 0004 1004 6100 0101 ............a...
> 0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
>
>
>
> From: CS Lee [mailto:geek00l at gmail.com]
> Sent: Saturday, August 08, 2009 11:02 AM
>
> To: Jenkinson, John P (SAIC)
> Subject: Re: pppoe
>
> hi Jenkinson,
>
> To verify if you are seeing ip traffic(which it should), kindly run
> tcpdump and see if you see ip traffic.
>
> On Sun, Aug 9, 2009 at 2:41 AM, Jenkinson, John P (SAIC) <John.Jenkinson at bp.com
> > wrote:
> indeed
>
>
> -----Original Message-----
> From: CS Lee [mailto:geek00l at gmail.com]
> Sent: Sat 8/8/2009 10:05 AM
> To: Jenkinson, John P (SAIC)
> Subject: Re: pppoe
>
> hi Jenkinson,
>
> Can you visualize your setup? When you say tap you mean inline tap?
>
> PPPOE modem ------------ Tap --------------- Network Switch
>
> Is your setup something like this? And you have argus box connected
> to the Tap and listen to the traffic?
>
>
> On Sun, Aug 9, 2009 at 1:37 AM, Jenkinson, John P (SAIC) <John.Jenkinson at bp.com
> > wrote:
>
>
> the network switch dials and does the pppoe authentication.
> argus and argus clients are the lastest V3 betas as of
> yesterday from Carter's site.
> the tap feeds the output to a hub/switch and one output of
> that switch goes to the argus box.
> next step is to add another interface to the argus box, bond
> the two tap interfaces together and get the hub/switch
> out of the configuration.
>
> ________________________________
>
> From: CS Lee [mailto:geek00l at gmail.com]
>
> Sent: Saturday, August 08, 2009 9:29 AM
>
> To: Jenkinson, John P (SAIC)
>
> Subject: Re: pppoe
>
>
> hi Jenkinson,
>
> Do you use your linux box to dial the modem, or just have the
> tap in between modem and the dialer, and having the argus box
> connected to the tap?
>
>
> On Sun, Aug 9, 2009 at 12:56 AM, Jenkinson, John P (SAIC) <John.Jenkinson at bp.com
> > wrote:
>
>
> of course
>
> command line
> /usr/local/sbin/argus -d -i eth1 -m -w /home/netlogs/
> argus/argus.log &
>
>
> the machine is fedora 11
> eth1 is a readonly (ip 0.0.0.0) configured up
> connected to a finstar ethernet tap.
> the tap is inline from the output of the DSL modem to
> the network switch feeding the rest of the machines at the location
>
>
> ________________________________
>
> From: CS Lee [mailto:geek00l at gmail.com]
> Sent: Saturday, August 08, 2009 8:20 AM
> To: Jenkinson, John P (SAIC)
> Cc: Argus
> Subject: pppoe
>
>
> hey John,
>
> What's your argus command line? And which interface
> are you running it on?
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090809/7e43a67f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090809/7e43a67f/attachment.bin>
More information about the argus
mailing list