argus 3.0.3 decodes certain UDP packets incorrectly as IPv6

Terry Burton tez at terryburton.co.uk
Mon Sep 20 08:30:44 EDT 2010 

Hi Carter,

The argus 3.0.3 series decodes certain UDP packets incorrectly as IPv6.

Attached is a pcap file containing a single 802.1Q-tagged packet:

$ tcpdump -evvvr argus-bad-decode-as-ipv6.pcap
reading from file argus-bad-decode-as-ipv6.pcap, link-type EN10MB (Ethernet)
17:39:59.822523 00:50:56:4d:d2:7c (oui Unknown) > 00:50:56:48:41:cb
(oui Unknown), ethertype 802.1Q (0x8100), length 266: ethertype IPv4,
(tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length
248) 192.168.0.107.32786 > 192.168.0.110.8044: [udp sum ok] UDP,
length 220

The argus 3.0.3 decodes as:

$ ~/argus-3.0.3.16/bin/argus -r argus-bad-decode-as-ipv6.pcap -w - | ra -r -
   17:39:59.822523  *        unas                 ::           ->
0:0:766d:7761:726*               1        266   INT

argus 3.0.2 decodes this correctly:

$ ~/argus-3.0.2/bin/argus -r argus-bad-decode-as-ipv6.pcap -w - | ra -r -
   17:39:59.822523  *         udp      192.168.0.107.32786     ->
192.168.0.110.8044          1        266   INT


All the best,

Terry

--

System:  Linux sniff 2.6.32-bpo.5-amd64 #1 SMP Mon Aug 23 09:19:35 UTC
2010 x86_64 GNU/Linux
Paths:    /opt/argus/bin/ra /usr/bin/make /usr/bin/gcc /usr/bin/cc
RA:      Ra Version 3.0.2
GCC:     Using built-in specs.
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian
4.3.2-1.1' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs
--enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr
--enable-shared --with-system-zlib --libexecdir=/usr/lib
--without-included-gettext --enable-threads=posix --enable-nls
--with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3
--enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc
--enable-mpfr --enable-cld --enable-checking=release
--build=x86_64-linux-gnu --host=x86_64-linux-gnu
--target=x86_64-linux-gnu
Thread model: posix
gcc version 4.3.2 (Debian 4.3.2-1.1)

LIBC:
lrwxrwxrwx 1 root root 11 2010-09-01 23:51 /lib/libc.so.6 -> libc-2.7.so
-rwxr-xr-x 1 root root 1375536 2010-06-06 11:43 /lib/libc-2.7.so
-rw-r--r-- 1 root root 4248282 2010-06-06 11:43 /usr/lib/libc.a
-rw-r--r-- 1 root root 247 2010-06-06 11:38 /usr/lib/libc.so
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus-bad-decode-as-ipv6.pcap
Type: application/octet-stream
Size: 306 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100920/e894fbc7/attachment.obj>

More information about the argus mailing list