argus 3.0.3 decodes certain UDP packets incorrectly as IPv6

Carter Bullard carter at qosient.com
Tue Sep 28 09:39:21 EDT 2010 

Hey Terry,
Yes, Teredo parsing is turned on, and I should have thought about it.
Sorry I've been really busy.   There should be a big T in the flags field
though, that was what I put in to indicate that we had seen Teredo, but
it must be overwritten by the * in the encapsulation column.

If you printed out the 'senc' field there should be a big fat 'T' in the string.

I will turn it off by default, and add a configuration switch to turn it on.

With regard to the strength of the matching, its an interesting problem,
as there aren't many patterns in IPv6 headers, unfortunately, and generally
with the snaplen set pretty low by many probes, we don't get that much
header to test.

So, I suspected that VMware was a culprit.  Anything in those packets to we
can use to reject?

Carter

On Sep 28, 2010, at 8:17 AM, Terry Burton wrote:

> On Mon, Sep 20, 2010 at 1:30 PM, Terry Burton <tez at terryburton.co.uk> wrote:
>> The argus 3.0.3 series decodes certain UDP packets incorrectly as IPv6.
> <...snip...>
>> The argus 3.0.3 decodes as:
>> 
>> $ ~/argus-3.0.3.16/bin/argus -r argus-bad-decode-as-ipv6.pcap -w - | ra -r -
>>   17:39:59.822523  *        unas                 ::           ->
>> 0:0:766d:7761:726*               1        266   INT
> 
> Hi Carter,
> 
> I've done a little bit of investigation into this problem and narrowed
> down the issue to the Teredo detection in ArgusProcessUdpHdr. (Since
> ArgusProcessUdpHdr was not invoked from ArgusProcessPacketHdrs in
> Argus 3.0.2 we did not see the problem with those versions.)
> 
> It would appear that the test (ipv6->ip6_vfc & IPV6_VERSION_MASK) ==
> IPV6_VERSION results in quite a number of mis-detections from certain
> kinds of UDP traffic - VMware heatbeating is one such example.
> 
> Perhaps this test can be strengthened by including checks for the
> UDP/3544 port within the IPv4 data and for the standard 2001:0000::/32
> address prefix within the encapsulated IPv6 data?
> 
> 
> All the best,
> 
> Terry
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100928/60b203b4/attachment.bin>

More information about the argus mailing list