Some problems (bugs?) with argus

Martijn van Oosterhout kleptog at gmail.com
Tue Aug 11 09:43:36 EDT 2009 

Ok, so I tried the most recent ones on the website: argus-3.0.1.beta.6
and argus-clients-3.0.2.beta.11.

Firstly, I needed a patch to get argus to build (attached). I don't
have a pcap-int.h file and so I just used the function pcap_file()
instead. No idea when that function was introduced but my libpcap from
20060417 has it.

I think the problem is actually that the TCP state engine is getting
confused. I have here a test pcap where if I let argus go on it
directly, it breaks. Note how in particular none of the records ever
record seeing a "syn".

$ ./argus -w - -r /tmp/a | ./ra -r - -z -
29 Jul 09 20:53:56  e         tcp      192.168.0.2.49832     ->
192.168.0.1.http          2        120    SR
29 Jul 09 20:54:01  e *       tcp      192.168.0.1.http      ->
192.168.0.2.49832         2        134     S
29 Jul 09 20:54:10  e *       tcp      192.168.0.1.http      ->
192.168.0.2.49832         3        194    SR
29 Jul 09 20:54:17  e s       tcp      192.168.0.2.49832     ->
192.168.0.1.http          2        120    SR
29 Jul 09 20:54:37  e *       tcp      192.168.0.1.http      ->
192.168.0.2.49832         3        194     S
29 Jul 09 20:54:47  e         tcp      192.168.0.1.http      ->
192.168.0.2.49832         1         60    SR
29 Jul 09 20:55:25  e *       tcp      192.168.0.1.http      ->
192.168.0.2.49832         3        194     S
29 Jul 09 20:55:35  e         tcp      192.168.0.1.http      ->
192.168.0.2.49832         1         60    SR

But if I chop off the first two records everything works:

$ editcap /tmp/a /tmp/b 0-2
$ ./argus -w - -r /tmp/b | ./ra -r - -z -
29 Jul 09 20:54:01  e         tcp      192.168.0.2.49832     ->
192.168.0.1.http          2        134    sS
29 Jul 09 20:54:10  e *       tcp      192.168.0.2.49832     ->
192.168.0.1.http          3        194   sSR
29 Jul 09 20:54:17  e d       tcp      192.168.0.2.49832     ->
192.168.0.1.http          2        120   sSR
29 Jul 09 20:54:37  e *       tcp      192.168.0.2.49832     ->
192.168.0.1.http          3        194    sS
29 Jul 09 20:54:47  e         tcp      192.168.0.2.49832     ->
192.168.0.1.http          1         60   sSR
29 Jul 09 20:55:25  e *       tcp      192.168.0.2.49832     ->
192.168.0.1.http          3        194    sS
29 Jul 09 20:55:35  e         tcp      192.168.0.2.49832     ->
192.168.0.1.http          1         60   sSR

The PCAP looks like this:
$ /usr/sbin/tcpdump -r /tmp/a -n
reading from file /tmp/a, link-type EN10MB (Ethernet)
20:53:56.209625 IP 192.168.0.1.80 > 192.168.0.2.49832: S
326182856:326182856(0) ack 1116521024 win 5840 <mss 1380>
20:54:00.637091 IP 192.168.0.1.80 > 192.168.0.2.49832: R 1:1(0) ack 1 win 5840
20:54:01.287414 IP 192.168.0.2.49832 > 192.168.0.1.80: S
1116521023:1116521023(0) win 5840 <mss 1460,sackOK,timestamp 852520086
0,nop,wscale 5>
20:54:05.773788 IP 192.168.0.1.80 > 192.168.0.2.49832: S
2840674889:2840674889(0) ack 1116521024 win 5840 <mss 1380>
20:54:10.372840 IP 192.168.0.1.80 > 192.168.0.2.49832: R 1:1(0) ack 1 win 5840
20:54:13.286932 IP 192.168.0.2.49832 > 192.168.0.1.80: S
1116521023:1116521023(0) win 5840 <mss 1460,sackOK,timestamp 852523086
0,nop,wscale 5>
20:54:13.463754 IP 192.168.0.1.80 > 192.168.0.2.49832: S
125982693:125982693(0) ack 1116521024 win 5840 <mss 1380>
20:54:17.610450 IP 192.168.0.1.80 > 192.168.0.2.49832: S
125982693:125982693(0) ack 1116521024 win 5840 <mss 1380>
20:54:21.904907 IP 192.168.0.1.80 > 192.168.0.2.49832: R 1:1(0) ack 1 win 5840
20:54:37.285928 IP 192.168.0.2.49832 > 192.168.0.1.80: S
1116521023:1116521023(0) win 5840 <mss 1460,sackOK,timestamp 852529086
0,nop,wscale 5>
20:54:37.461891 IP 192.168.0.1.80 > 192.168.0.2.49832: S
2090967780:2090967780(0) ack 1116521024 win 5840 <mss 1380>
20:54:41.612744 IP 192.168.0.1.80 > 192.168.0.2.49832: S
2090967780:2090967780(0) ack 1116521024 win 5840 <mss 1380>
20:54:47.148272 IP 192.168.0.1.80 > 192.168.0.2.49832: R 1:1(0) ack 1 win 5840
20:55:25.283943 IP 192.168.0.2.49832 > 192.168.0.1.80: S
1116521023:1116521023(0) win 5840 <mss 1460,sackOK,timestamp 852541086
0,nop,wscale 5>
20:55:25.460327 IP 192.168.0.1.80 > 192.168.0.2.49832: S
2004528550:2004528550(0) ack 1116521024 win 5840 <mss 1380>
20:55:29.814466 IP 192.168.0.1.80 > 192.168.0.2.49832: S
2004528550:2004528550(0) ack 1116521024 win 5840 <mss 1380>
20:55:35.697115 IP 192.168.0.1.80 > 192.168.0.2.49832: R 1:1(0) ack 1 win 5840

Hope this helps,
-- 
Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus.patch
Type: application/octet-stream
Size: 2521 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090811/3f19a0a9/attachment.obj>

More information about the argus mailing list