Bug, TCP direction on unidirectional flows
Carter Bullard
carter at qosient.com
Tue Jul 7 10:02:50 EDT 2009
Hey Nick,
Sorry to bug you again, but if you have that set of argus data, I'd
love to check out the bug!?!?!
Carter
On Jun 19, 2009, at 1:50 PM, Nick Diel wrote:
> I noticed an interesting bug today with Argus. With unidirectional
> flows where only the server side is visible (syn-ack side), Argus
> incorrectly swaps the src and dst addresses.
>
> Here is an example
> tcpdump -r interesting.pcap -nn
> reading from file interesting.pcap, link-type EN10MB (Ethernet)
> 21:01:55.758204 IP X.X.X.X.25 > Y.Y.Y.Y.4442: S
> 3557037574:3557037574(0) ack 1284350011 win 0
> 21:01:55.786742 IP X.X.X.X.25 > Y.Y.Y.Y.4442: . ack 1 win 2920
> 21:01:55.793184 IP X.X.X.X.25 > Y.Y.Y.Y.4442: P 1:37(36) ack 1 win
> 2920
> ....
> 21:02:04.441692 IP X.X.X.X.25 > Y.Y.Y.Y.4442: F 537:537(0) ack 1257
> win 49100
> 21:02:04.904895 IP X.X.X.X.25 > Y.Y.Y.Y.4442: . ack 1258 win 49100
> 21:05:05.260483 IP X.X.X.X.25 > Y.Y.Y.Y.1282: S
> 4103843404:4103843404(0) ack 1358349119 win 1460 <mss
> 1460,nop,nop,sackOK>
> 21:05:05.294729 IP X.X.X.X.25 > Y.Y.Y.Y.1282: P 1:37(36) ack 1 win
> 2920
> ...
> 21:05:08.777255 IP X.X.X.X.25 > Y.Y.Y.Y.1282: . ack 1075 win 49640
>
> argus -r interesting.pcap -w - | ra -r - -z
> 21:01:55.758204 e tcp X.X.X.X smtp ->
> Y.Y.Y.Y 4442 11 1166 SEf
> 21:05:05.260483 e tcp X.X.X.X smtp ->
> Y.Y.Y.Y 1282 10 1024 SEf
>
>
> ra -?
> Ra Version 3.0.2.beta.8
>
> argus -?
> Argus Version 3.0.1.beta.3
>
>
> Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090707/a7c9c455/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090707/a7c9c455/attachment.bin>
More information about the argus
mailing list