argus 3.0.3 decodes certain UDP packets incorrectly as IPv6

Terry Burton tez at terryburton.co.uk
Tue Sep 28 08:17:11 EDT 2010


On Mon, Sep 20, 2010 at 1:30 PM, Terry Burton <tez at terryburton.co.uk> wrote:
> The argus 3.0.3 series decodes certain UDP packets incorrectly as IPv6.
<...snip...>
> The argus 3.0.3 decodes as:
>
> $ ~/argus-3.0.3.16/bin/argus -r argus-bad-decode-as-ipv6.pcap -w - | ra -r -
>   17:39:59.822523  *        unas                 ::           ->
> 0:0:766d:7761:726*               1        266   INT

Hi Carter,

I've done a little bit of investigation into this problem and narrowed
down the issue to the Teredo detection in ArgusProcessUdpHdr. (Since
ArgusProcessUdpHdr was not invoked from ArgusProcessPacketHdrs in
Argus 3.0.2 we did not see the problem with those versions.)

It would appear that the test (ipv6->ip6_vfc & IPV6_VERSION_MASK) ==
IPV6_VERSION results in quite a number of mis-detections from certain
kinds of UDP traffic - VMware heatbeating is one such example.

Perhaps this test can be strengthened by including checks for the
UDP/3544 port within the IPv4 data and for the standard 2001:0000::/32
address prefix within the encapsulated IPv6 data?


All the best,

Terry



More information about the argus mailing list