Strange Argus Client IPv6 Filter Behavior

Dave Edelman dedelman at iname.com
Wed Jul 6 21:55:58 EDT 2011


This one is strange even by my standards, I've had the same results on both
Fedora 14 - 64 bit and Fedora 12 32 bit systems.
The environment is mixed IPv4 and IPv6. I have used both argus 3.0.3.3 and
argus 3.0.5.3 to capture the flows and that doesn't seem to make any
difference.

ra -r argus.out - host 2001:470:8d5c:1:1552:bef3:8139:3cce
ra[21832]: 07-06-11 21:38:21.996 host 2001:470:8d5c:1:1552:bef3:8139:3cce
filter syntax error


ra -r argus.out - net 2001:470:8d5c:1:1552:bef3:8139:3cce/128
            StartTime      Flgs  Proto                   SrcAddr
Sport   Dir                   DstAddr                Dport  TotPkts
TotBytes State
07-06-11 21:07:31.469  e           tcp 2001:470:8d5c:1:1552:bef*.vmsvc-2
-> 2001:1890:1c00:1701::2011.http                       98      74771   CON
07-06-11 21:07:31.468  e        ipv6-* 2001:470:8d5c:1:1552:bef*.135
->         ff02::1:ffb2:b3b2.0                           1         86   NNS
07-06-11 21:07:31.469  e        ipv6-*        2001:470:8d5c:1::1.135
<-> 2001:470:8d5c:1:1552:bef*.0                           4        344   NNS


I do not have this problem with argus clients 3.0.4.1 on the same data set.

I can send a capture sample if you need one but I'm not sure if I need a
permit to transport toxic waste (aka IPv6)

Argus bugreport says the following:

System:  Linux xxx.net 2.6.32.26-175.fc12.i686.PAE #1 SMP Wed Dec 1 21:45:50
UTC 2010 i686 i686 i386 GNU/Linux
Arch:    i686

Paths:    /usr/local/bin/ra /usr/bin/make /usr/bin/gmake /usr/lib/ccache/gcc
/usr/lib/ccache/cc

RA:      Ra Version 3.0.5.16

GCC:     Using built-in specs.
Target: i686-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=http://bugzil
la.redhat.com/bugzilla --enable-bootstrap --enable-shared
--enable-threads=posix --enable-checking=release --with-system-
zlib --enable-__cxa_atexit --disable-libunwind-exceptions
--enable-gnu-unique-object --enable-languages=c,c++,objc,obj-c+
+,java,fortran,ada --enable-java-awt=gtk --disable-dssi --enable-plugin
--with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.
0.0/jre --enable-libgcj-multifile --enable-java-maintainer-mode
--with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-
libjava-multilib --with-ppl --with-cloog --with-tune=generic
--with-arch=i686 --build=i686-redhat-linux
Thread model: posix
gcc version 4.4.4 20100630 (Red Hat 4.4.4-10) (GCC)

LIBC:
lrwxrwxrwx 1 root root 14 2010-12-31 21:30 /lib/libc.so.6 -> libc-2.11.2.so
-rwxr-xr-x 1 root root 1831904 2010-10-22 14:07 /lib/libc-2.11.2.so
-rw-r--r-- 1 root root 238 2010-10-22 13:36 /usr/lib/libc.so
-rwxr-xr-x 1 root root 1112432 2009-09-16 15:24 /usr/lib/libc-client.so.2007

--Dave






More information about the argus mailing list