argus 3.0.3 decodes certain UDP packets incorrectly as IPv6
Phillip G Deneault
deneault at WPI.EDU
Tue Sep 28 09:04:35 EDT 2010
On Tue, 28 Sep 2010, Terry Burton wrote:
> It would appear that the test (ipv6->ip6_vfc & IPV6_VERSION_MASK) ==
> IPV6_VERSION results in quite a number of mis-detections from certain
> kinds of UDP traffic - VMware heatbeating is one such example.
>
> Perhaps this test can be strengthened by including checks for the
> UDP/3544 port within the IPv4 data and for the standard 2001:0000::/32
> address prefix within the encapsulated IPv6 data?
Can I take this opportunity to ask, how is this type of traffic handled,
(i.e. Teredo) these days? Does argus display the outer-most encapsulation
or the inner-most? Is there a way to get both levels displayed?
Also, there has been some analysis of Teredo which suggests a method for
accurately identifying traffic. Starting on page 32 here:
http://www.symantec.com/avcenter/reference/Teredo_Security.pdf
Also in that document is a line which states the 2001:0000/32 prefix is
only for more modern implementations, but I wouldn't worry about that as I
don't think there are too many older implementations in use. I personally
think using 2001:0000/32 is better criteria than udp/3544 because the
latter is just a default port between client and server.
Phil
More information about the argus
mailing list