Problem with byte-swapped IP addresses

Martijn van Oosterhout kleptog at gmail.com
Thu Mar 4 11:34:13 EST 2010 

Hi,

(argus 3.0.0, but it also happens with 3.0.3.2)

I'm having a problem with IP addresses being byte-swapped in the argus
output, like so:

03 Mar 10 00:30:16  e    f    tcp      70.20.168.192 *         ->
93.20.168.192 *             1       1514   INT
03 Mar 10 00:30:16  e    f    tcp      93.20.168.192 *         ->
192.168.20.70 *             1       1514   INT
03 Mar 10 00:30:17  e         tcp      70.20.168.192.1823      ?>
192.168.20.93.1307          1       1514   CON
03 Mar 10 00:30:21  e    f    tcp      12.20.168.192 *         ->
62.20.168.192 *             1       1514   INT

All the addresses on this network are 192.168.x.x, so the given
addresses are not possible. Other weird things:

- Argus often shows the fragment flag on, yet raw packet captures for
the same period show no fragments at all.
- When it happens, it is most commonly both source and dest, but
sometimes just one. In that case the source is much more commonly
byte-swapped.
- I have confirmed that they are byte-swapped in the argus data files,
so it's not a problem with ra. It's done wrong by the server.
- These byte-swapped addresses happen sporadically in the stream where
they occur:

03 Mar 10 00:30:07  M d       tcp      192.168.20.93.1307      ->
192.168.20.70.1823      17731   14333302   CON
03 Mar 10 00:30:12  M d       tcp      192.168.20.93.1307      ->
192.168.20.70.1823      19995   15742950   CON
03 Mar 10 00:30:17  e         tcp      70.20.168.192.1823      ?>
192.168.20.93.1307          1       1514   CON
03 Mar 10 00:30:17  M d       tcp      192.168.20.93.1307      ->
192.168.20.70.1823      19459   16539822   CON
03 Mar 10 00:30:22  M d       tcp      192.168.20.93.1307      ->
192.168.20.70.1823      20384   16033892   CON

As you can see it's a very high bandwidth connection here. This seems
to be key, it happens much more frequently under high load.

Going through the source I can't think of a place where IP addresses
are conditionally byte-swapped.

It seems to be happening on two different machines which rules out hardware.
No other programs on the same machine see byte-swapped addresses,
which would rule out the networking stack.
Running the existing pcaps through argus again does not exhibit the problem.
Argus is running with a BPF filter 'net 192.168.20.0/22', which should
preclude packets with these address if they came from the kernel.
Examining the PCAPs for the period by hand shows nothing unusual.

If you want to try things, or need more debug info, it's fairly easily
reproducible capturing live data.

Thanks in advance,
-- 
Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/

More information about the argus mailing list