Bug in direction?
Rafael Barbosa
rrbarbosa at gmail.com
Fri Jul 27 09:19:41 EDT 2012
Hi,
I may have fund a bug in the argus with respect to the direction of TCP
connections. When only the SYN-ACK message is received in TCPs 3-way
handshake (i.e., the SYN is missing), argus is setting the direction from
server to client, instead of client to server.
Small example:
$> tcpdump -r anon.pcap
reading from file anon.pcap, link-type EN10MB (Ethernet)
14:53:53.713258 IP 117.12.236.14.https > 117.69.107.235.1047: Flags [S.],
seq 3044833418, ack 1678823480, win 5840, options [mss
1436,nop,nop,sackOK], length 0
14:56:03.341851 IP 117.12.236.14.https > 117.69.107.235.1042: Flags [S.],
seq 3194374727, ack 2254352525, win 5840, options [mss
1436,nop,nop,sackOK], length 0
$> argus -r anon.pcap -w flows.argus
$> ra -r flows.argus
13:53:53.713258 * tcp 117.12.236.14.https ->
117.69.107.235.1047 1 66 ACC
13:56:03.341851 * tcp 117.12.236.14.https ->
117.69.107.235.1042 1 66 ACC
Using the latest stable version, argus-3.0.6.1.
Best regards,
Rafael Barbosa
http://www.ewi.utwente.nl/~barbosarr/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120727/12ef9585/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: anon.pcap
Type: application/octet-stream
Size: 188 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120727/12ef9585/attachment.obj>
More information about the argus
mailing list