argus 3.0.3 decodes certain UDP packets incorrectly as IPv6

carter at qosient.com carter at qosient.com
Mon Sep 20 20:36:29 EDT 2010 

Hey Terry,
I will definitely look at this today/tomorrow.  On the road, but should be able to do something with the packet file.
Carter 

Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Terry Burton <tez at terryburton.co.uk>
Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
Date: Mon, 20 Sep 2010 13:30:44 
To: Argus<argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] argus 3.0.3 decodes certain UDP packets incorrectly as IPv6

Hi Carter,

The argus 3.0.3 series decodes certain UDP packets incorrectly as IPv6.

Attached is a pcap file containing a single 802.1Q-tagged packet:

$ tcpdump -evvvr argus-bad-decode-as-ipv6.pcap
reading from file argus-bad-decode-as-ipv6.pcap, link-type EN10MB (Ethernet)
17:39:59.822523 00:50:56:4d:d2:7c (oui Unknown) > 00:50:56:48:41:cb
(oui Unknown), ethertype 802.1Q (0x8100), length 266: ethertype IPv4,
(tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length
248) 192.168.0.107.32786 > 192.168.0.110.8044: [udp sum ok] UDP,
length 220

The argus 3.0.3 decodes as:

$ ~/argus-3.0.3.16/bin/argus -r argus-bad-decode-as-ipv6.pcap -w - | ra -r -
   17:39:59.822523  *        unas                 ::           ->
0:0:766d:7761:726*               1        266   INT

argus 3.0.2 decodes this correctly:

$ ~/argus-3.0.2/bin/argus -r argus-bad-decode-as-ipv6.pcap -w - | ra -r -
   17:39:59.822523  *         udp      192.168.0.107.32786     ->
192.168.0.110.8044          1        266   INT


All the best,

Terry

--

System:  Linux sniff 2.6.32-bpo.5-amd64 #1 SMP Mon Aug 23 09:19:35 UTC
2010 x86_64 GNU/Linux
Paths:    /opt/argus/bin/ra /usr/bin/make /usr/bin/gcc /usr/bin/cc
RA:      Ra Version 3.0.2
GCC:     Using built-in specs.
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian
4.3.2-1.1' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs
--enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr
--enable-shared --with-system-zlib --libexecdir=/usr/lib
--without-included-gettext --enable-threads=posix --enable-nls
--with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3
--enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc
--enable-mpfr --enable-cld --enable-checking=release
--build=x86_64-linux-gnu --host=x86_64-linux-gnu
--target=x86_64-linux-gnu
Thread model: posix
gcc version 4.3.2 (Debian 4.3.2-1.1)

LIBC:
lrwxrwxrwx 1 root root 11 2010-09-01 23:51 /lib/libc.so.6 -> libc-2.7.so
-rwxr-xr-x 1 root root 1375536 2010-06-06 11:43 /lib/libc-2.7.so
-rw-r--r-- 1 root root 4248282 2010-06-06 11:43 /usr/lib/libc.a
-rw-r--r-- 1 root root 247 2010-06-06 11:38 /usr/lib/libc.so

More information about the argus mailing list