argus 3.0.3 decodes certain UDP packets incorrectly as IPv6

Terry Burton tez at terryburton.co.uk
Tue Sep 28 10:56:13 EDT 2010


On Tue, Sep 28, 2010 at 2:39 PM, Carter Bullard <carter at qosient.com> wrote:
<...snip...>
> So, I suspected that VMware was a culprit.  Anything in those packets to we
> can use to reject?

Carter,

When I get a chance I will upload a set of example packets that are
falsely identified as teredo. My previous sample pcap contained only a
single packet.


Thanks!

Terry


> On Sep 28, 2010, at 8:17 AM, Terry Burton wrote:
>> On Mon, Sep 20, 2010 at 1:30 PM, Terry Burton <tez at terryburton.co.uk> wrote:
>>> The argus 3.0.3 series decodes certain UDP packets incorrectly as IPv6.
>> <...snip...>
>>> The argus 3.0.3 decodes as:
>>>
>>> $ ~/argus-3.0.3.16/bin/argus -r argus-bad-decode-as-ipv6.pcap -w - | ra -r -
>>>   17:39:59.822523  *        unas                 ::           ->
>>> 0:0:766d:7761:726*               1        266   INT
>>
>> Hi Carter,
>>
>> I've done a little bit of investigation into this problem and narrowed
>> down the issue to the Teredo detection in ArgusProcessUdpHdr. (Since
>> ArgusProcessUdpHdr was not invoked from ArgusProcessPacketHdrs in
>> Argus 3.0.2 we did not see the problem with those versions.)
>>
>> It would appear that the test (ipv6->ip6_vfc & IPV6_VERSION_MASK) ==
>> IPV6_VERSION results in quite a number of mis-detections from certain
>> kinds of UDP traffic - VMware heatbeating is one such example.
>>
>> Perhaps this test can be strengthened by including checks for the
>> UDP/3544 port within the IPv4 data and for the standard 2001:0000::/32
>> address prefix within the encapsulated IPv6 data?
>>
>>
>> All the best,
>>
>> Terry



More information about the argus mailing list