Problem with byte-swapped IP addresses

Carter Bullard carter at qosient.com
Fri Mar 5 11:25:37 EST 2010 

Hey Martijn,
Sorry for the delayed response and sorry for the problems.
There have been only a few reports of this behavior, and it has
been very transient, and very difficult to track down, so I'm very
happy to have this information.  

If there is anything I can do to help, don't hesitate to holler!!!!

Carter

On Mar 5, 2010, at 3:31 AM, Martijn van Oosterhout wrote:

> On Thu, Mar 4, 2010 at 7:59 PM, Peter Van Epp <vanepp at sfu.ca> wrote:
>> On Thu, Mar 04, 2010 at 05:34:13PM +0100, Martijn van Oosterhout wrote:
>>> Hi,
>>> 
>>> (argus 3.0.0, but it also happens with 3.0.3.2)
>>> 
>>> I'm having a problem with IP addresses being byte-swapped in the argus
>>> output, like so:
>> 
>>        I assume this is an Intel (or other bigendian) machine?
> 
> Yes, it's Intel.
> 
>> It may be profitable to try and capture the pcap input
>> files that argus sees by setting ARGUS_PACKET_CAPTURE_FILE in your argus.conf
>> file although if the pcaps look OK its more likely an argus bug somewhere I
>> think.
> 
> Thanks! I didn't know argus had this feature, but it certainly
> narrowed down the problem. Because the pcap file generated by argus
> also has these byte-swapped packets.
> 
> # tcpdump -r ~/argus.dump host 98.20.168.192 -s 200 -n -e -v -XX
> 09:04:08.443801 00:06:5b:f4:fb:c7 > 00:06:5b:ed:4d:80, ethertype IPv4
> (0x0800), length 1514: truncated-ip - 54825 bytes missing! (tos 0x0,
> ttl 128, id 10994, offset 512, flags [none], proto TCP (6), length
> 56325, bad cksum 592c (->6e17)!) 18.20.168.192 > 98.20.168.192: tcp
>        0x0000:  0006 5bed 4d80 0006 5bf4 fbc7 0800 4500  ..[.M...[.....E.
>        0x0010:  dc05 2af2 0040 8006 592c 1214 a8c0 6214  ..*.. at ..Y,....b.
>        0x0020:  a8c0 1347 0ca2 06b9 50d2 f1b5 3459 5010  ...G....P...4YP.
>        0x0030:  ffff 3cf8 0000 5445 4d06 0053 5953 5445  ..<...TEM..SYSTE
>        0x0040:  4d07 0078 6c03 0101 0101 0700 786c 0301  M..xl.......xl..
>        0x0050:  0101 0105 00c4 0313 2c0a 0000 0100       ........,.....
> 
> Looking at this it seems there is much more at hand.
> 
> - The length is byte-swapped (dc05 instead of 05dc = 1500)
> - The frag/offset field is byte-swapped (0040 instead of 4000)
> - The addresses are byte-swapped (but we knew that)
> 
> As far as I can tell from the code, argus does no byte-swapping prior
> to dumping the packet, so this is really what argus sees. So it's
> screwing up somewhere after the BPF filter is processed and before
> data gets to argus. Which probably means libpcap/kernel interface.
> Yay! :(
> 
> For reference:
> 
> Kernel: Gentoo 2.6.27-hardened
> pcap-ringbuffer (something from 2006)
> 
> I think the pcap library is a good target.
> 
> Thanks for the help.
> -- 
> Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100305/1b6a0835/attachment.bin>

More information about the argus mailing list