Bug, TCP direction on unidirectional flows

Carter Bullard carter at qosient.com
Thu Jul 9 11:16:27 EDT 2009


Hey Nick,
I uploaded some new client code last night that has a fix for your  
reported bug.

The logic that choses direction for asymmetric TCP flows was using  
application
byte counts to determine if this was a functioning TCP connection or a  
reverse
SYN scan, or something else.   Your data wasn't reporting appbytes,  
and so my
algorithm was not a good one.  I  added a few more checks and now all  
is well.
The argus data is fine, just how the clients interpreted this case was  
broken.

Thanks!!!

Carter

On Jul 8, 2009, at 10:21 AM, Nick Diel wrote:

> Carter,
>
> My apologizes, I completely forgotten about this (haven't had much  
> time with Argus lately).
>
> Here is the argus file.
>
> Nick
>
> On Tue, Jul 7, 2009 at 8:02 AM, Carter Bullard <carter at qosient.com>  
> wrote:
> Hey Nick,
> Sorry to bug you again, but if you have that set of argus data, I'd  
> love to check out the bug!?!?!
>
> Carter
>
> On Jun 19, 2009, at 1:50 PM, Nick Diel wrote:
>
>> I noticed an interesting bug today with Argus.  With unidirectional  
>> flows where only the server side is visible (syn-ack side), Argus  
>> incorrectly swaps the src and dst addresses.
>>
>> Here is an example
>>  tcpdump -r interesting.pcap -nn
>> reading from file interesting.pcap, link-type EN10MB (Ethernet)
>> 21:01:55.758204 IP X.X.X.X.25 > Y.Y.Y.Y.4442: S  
>> 3557037574:3557037574(0) ack 1284350011 win 0
>> 21:01:55.786742 IP X.X.X.X.25 > Y.Y.Y.Y.4442: . ack 1 win 2920
>> 21:01:55.793184 IP X.X.X.X.25 > Y.Y.Y.Y.4442: P 1:37(36) ack 1 win  
>> 2920
>> ....
>> 21:02:04.441692 IP X.X.X.X.25 > Y.Y.Y.Y.4442: F 537:537(0) ack 1257  
>> win 49100
>> 21:02:04.904895 IP X.X.X.X.25 > Y.Y.Y.Y.4442: . ack 1258 win 49100
>> 21:05:05.260483 IP X.X.X.X.25 > Y.Y.Y.Y.1282: S  
>> 4103843404:4103843404(0) ack 1358349119 win 1460 <mss  
>> 1460,nop,nop,sackOK>
>> 21:05:05.294729 IP X.X.X.X.25 > Y.Y.Y.Y.1282: P 1:37(36) ack 1 win  
>> 2920
>> ...
>> 21:05:08.777255 IP X.X.X.X.25 > Y.Y.Y.Y.1282: . ack 1075 win 49640
>>
>> argus -r interesting.pcap -w - | ra -r - -z
>>    21:01:55.758204  e         tcp      X.X.X.X smtp      ->       
>> Y.Y.Y.Y 4442         11       1166   SEf
>>    21:05:05.260483  e         tcp      X.X.X.X smtp      ->       
>> Y.Y.Y.Y 1282         10       1024   SEf
>>
>>
>> ra -?
>> Ra Version 3.0.2.beta.8
>>
>> argus -?
>> Argus Version 3.0.1.beta.3
>>
>>
>> Nick
>
>
>
>
>
> <reverse.argus>

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090709/8a859c2d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090709/8a859c2d/attachment.bin>


More information about the argus mailing list