enc device parser
mike tancsa
mike at sentex.ca
Wed Dec 29 14:32:43 EST 2010
Has anyone hacked together a parser for the *BSD enc device in Argus?
http://www.freebsd.org/cgi/man.cgi?query=enc&apropos=0&sektion=4&manpath=FreeBSD+8.1-RELEASE&format=html
It basically allows IPSEC ESP traffic to be examined as if it were
coming through an interface
doing a tcpdump looks like
# tcpdump -s0 -ni enc0
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size
65535 bytes
13:57:17.620542 (authentic,confidential): SPI 0x0b380f2d: IP 64.7.134.1
> 205.211.165.1: IP 192.168.0.12.54283 > 10.11.12.1.1010: S
258377009:258377009(0) win 65535 <mss 1452,nop,wscale 3,sackOK,timestamp
1264553963 0> (ipip-proto-4)
13:57:17.720371 (authentic,confidential): SPI 0x04b2cfa0: IP
10.11.12.1.1010 > 192.168.0.12.54283: S 724245143:724245143(0) ack
258377010 win 8192 <mss 1380,nop,wscale 0,nop,nop,timestamp 14697561
1264553963>
13:57:17.720383 (authentic,confidential): SPI 0x04b2cfa0: IP
205.211.165.1 > 64.7.134.1: IP 10.11.12.1.1010 > 192.168.0.12.54283: S
724245143:724245143(0) ack 258377010 win 8192 <mss 1380,nop,wscale
0,nop,nop,timestamp 14697561 1264553963> (ipip-proto-4)
13:57:17.763928 (authentic,confidential): SPI 0x0b380f2d: IP 64.7.134.1
> 205.211.165.1: IP 192.168.0.12.54283 > 10.11.12.1.1010: . ack 1 win
8208 <nop,nop,timestamp 1264554108 14697561> (ipip-proto-4)
---Mike
More information about the argus
mailing list