Teredo discovery support now in argus-3.0.3
Carter Bullard
carter at qosient.com
Wed Feb 10 18:12:24 EST 2010
Gentle people,
argus-3.0.3 now has support for Teredo tunnel discovery. The discovery is done
on any UDP packet that is not DNS. Currently we are using a rather simple
algorithm for discovering IPv6 traffic in the stream, but it seems to be working pretty
well. The flows will have IPv6 identifiers in the flow keys.
argus-client-3.0.3 support currently involves filter support using "encaps teredo".
ra -r argus.file - encaps teredo
Currently, teredo tunnel discovery is turned on by default, and I'll change that
quickly if we have any major false teredo reporting (has been working for me
for quite a while).
If you start to see a lot of IPv6 that is surprising, either there is teredo,
and argus is reporting udp and tcp traffic over IPv6, or we've got bad teredo
matching logic, and we'll need to fix it. Best way to tell is to look at the
user data, and if the protocols match up with the ports, then its teredo.
Hope all is most excellent,
Carter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100210/09ebdbb6/attachment.bin>
More information about the argus
mailing list