Question about payload

Carter Bullard carter at qosient.com
Tue Apr 27 17:34:19 EDT 2010 

Hey Paul,
s[51] means that this is the source user buffer and that its 51 bytes long.  this
is the payload of the packet sent from the entity that initiated the flow.

d[135] means that this is the destination user buffer and its 135 bytes long.
this is the payload of the packet sent from the entity that responded to the 
initiator.

Using ra(), you are asking to print the raw buffer.  the default is to print out
as if its an ascii buffer, the '.'s are unprintable chars.  For some protocols,
like http, the buffers are just ascii strings.  For others like DNS, they are a
mix of binary and ascii.

Definately looks like DNS traffic to me.

radump() will attempt to parse out the user buffers and print out what it understands
the buffer contents to be.  Using radump(), you would get an output that looked
like tcpdump's output for DNS.

   radump -r file -s +suser:128 +duser:135 - port domain

the field lengths (:xxx) are whatever it takes to decode the buffer and print it out in ascii
successfully.

Carter

On Apr 27, 2010, at 4:43 PM, Paul Schmehl wrote:

> We're using argus to capture partial payloads.  The output is quite a bit different from tcpdump, and there's some parts I don't understand.  I'm hoping the experts here can enlighten me.
> 
> What does s[51]= mean?
> 
> What does d[135]= mean?
> 
> I took the first one to mean the payload, but then the second seems unclear to me.
> 
> Here's the packet I'm referring to:
> 
> 27 Apr 10 18:21:39.137180  M         udp      129.110.31.40.18677    <-> 92.241.190.252.domain   CON s[51]=d............sandra.prichaonica.com.......)........ d[135]=d............sandra.prichaonica.com.................\................ns2...............ns1...V..........\....D..........\.....)........
> 
> Clearly it's a DNS lookup, but I don't get what the s[51]= and d[135]= refer to.
> 
> -- 
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> 
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100427/9bb60993/attachment.bin>

More information about the argus mailing list