Bug, TCP direction on unidirectional flows
Nick Diel
nick at engineerity.com
Fri Jun 19 13:50:09 EDT 2009
I noticed an interesting bug today with Argus. With unidirectional flows
where only the server side is visible (syn-ack side), Argus incorrectly
swaps the src and dst addresses.
Here is an example
* tcpdump -r interesting.pcap -nn*
reading from file interesting.pcap, link-type EN10MB (Ethernet)
21:01:55.758204 IP X.X.X.X.25 > Y.Y.Y.Y.4442: S 3557037574:3557037574(0) ack
1284350011 win 0
21:01:55.786742 IP X.X.X.X.25 > Y.Y.Y.Y.4442: . ack 1 win 2920
21:01:55.793184 IP X.X.X.X.25 > Y.Y.Y.Y.4442: P 1:37(36) ack 1 win 2920
....
21:02:04.441692 IP X.X.X.X.25 > Y.Y.Y.Y.4442: F 537:537(0) ack 1257 win
49100
21:02:04.904895 IP X.X.X.X.25 > Y.Y.Y.Y.4442: . ack 1258 win 49100
21:05:05.260483 IP X.X.X.X.25 > Y.Y.Y.Y.1282: S 4103843404:4103843404(0) ack
1358349119 win 1460 <mss 1460,nop,nop,sackOK>
21:05:05.294729 IP X.X.X.X.25 > Y.Y.Y.Y.1282: P 1:37(36) ack 1 win 2920
...
21:05:08.777255 IP X.X.X.X.25 > Y.Y.Y.Y.1282: . ack 1075 win 49640
*argus -r interesting.pcap -w - | ra -r - -z*
21:01:55.758204 e tcp X.X.X.X smtp -> Y.Y.Y.Y
4442 11 1166 SEf
21:05:05.260483 e tcp X.X.X.X smtp -> Y.Y.Y.Y
1282 10 1024 SEf
*ra -?
Ra Version 3.0.2.beta.8*
*argus -?
Argus Version 3.0.1.beta.3
*
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090619/b03e9fb5/attachment.html>
More information about the argus
mailing list