Bug, TCP direction on unidirectional flows

carter at qosient.com carter at qosient.com
Mon Jun 22 06:00:26 EDT 2009


Hey Nick,
It's the clients job to assign direction, so argus is doing the right thing, it seems.  If you could send the argus file, anonymized if needed, I'll take a look!

Carter
Carter
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Nick Diel <nick at engineerity.com>

Date: Fri, 19 Jun 2009 11:50:09 
To: Argus<argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] Bug, TCP direction on unidirectional flows


I noticed an interesting bug today with Argus.  With unidirectional flows
where only the server side is visible (syn-ack side), Argus incorrectly
swaps the src and dst addresses.

Here is an example
* tcpdump -r interesting.pcap -nn*
reading from file interesting.pcap, link-type EN10MB (Ethernet)
21:01:55.758204 IP X.X.X.X.25 > Y.Y.Y.Y.4442: S 3557037574:3557037574(0) ack
1284350011 win 0
21:01:55.786742 IP X.X.X.X.25 > Y.Y.Y.Y.4442: . ack 1 win 2920
21:01:55.793184 IP X.X.X.X.25 > Y.Y.Y.Y.4442: P 1:37(36) ack 1 win 2920
....
21:02:04.441692 IP X.X.X.X.25 > Y.Y.Y.Y.4442: F 537:537(0) ack 1257 win
49100
21:02:04.904895 IP X.X.X.X.25 > Y.Y.Y.Y.4442: . ack 1258 win 49100
21:05:05.260483 IP X.X.X.X.25 > Y.Y.Y.Y.1282: S 4103843404:4103843404(0) ack
1358349119 win 1460 <mss 1460,nop,nop,sackOK>
21:05:05.294729 IP X.X.X.X.25 > Y.Y.Y.Y.1282: P 1:37(36) ack 1 win 2920
...
21:05:08.777255 IP X.X.X.X.25 > Y.Y.Y.Y.1282: . ack 1075 win 49640

*argus -r interesting.pcap -w - | ra -r - -z*
   21:01:55.758204  e         tcp      X.X.X.X smtp      ->      Y.Y.Y.Y
4442         11       1166   SEf
   21:05:05.260483  e         tcp      X.X.X.X smtp      ->      Y.Y.Y.Y
1282         10       1024   SEf


*ra -?
Ra Version 3.0.2.beta.8*

*argus -?
Argus Version 3.0.1.beta.3
*

Nick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090622/e4662223/attachment.html>


More information about the argus mailing list