Proto 0 not displaying in ra
David Edelman
dedelman at iname.com
Mon Jun 24 18:24:14 EDT 2013
Carter,
For at least some versions of Linux, the /etc/protocols file does have an
entry for protocol 0. In fact, some might include two entries (this example
is from Fedora Core 18):
# Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).
# Last IANA update included dated 2011-05-03
#
# See also http://www.iana.org/assignments/protocol-numbers
ip 0 IP # internet protocol, pseudo protocol number
hopopt 0 HOPOPT # hop-by-hop options for ipv6
icmp 1 ICMP # internet control message protocol
igmp 2 IGMP # internet group management protocol
ggp 3 GGP # gateway-gateway protocol
8< ------------------------ snip
----------------------------------------------
I'm not sure that the hopopt entry isn't causing some confusion especially
if there is nothing is indicate IPv4 / IPv6 in the filter expression.
--Dave
From: Carter Bullard [mailto:carter at qosient.com]
Sent: Monday, June 24, 2013 10:58 AM
To: David Edelman
Cc: 'Jesse Bowling'; 'argus-info'
Subject: Re: [ARGUS] Proto 0 not displaying in ra
Hey Jesse, David,
The proto 0 should be an argus artifact, an internal protocol
number so that we can process L2 and L3 protocol numbers
in the same code set, so you shouldn't see that.
Zero should be illegal for L2 and L3. We make a distinction
between IPv6 options and the next header protocol number.
Very curious that IANA doesn't make that distinction. That
seems like an error.
David is right, with an " - ip " filter, does it go away?
Got some data you can share that generates the error, so I
can check it out?
Carter
On Jun 20, 2013, at 8:49 PM, "David Edelman" <dedelman at iname.com
<mailto:dedelman at iname.com> > wrote:
Jesse,
I'm not sure that your filter expression is valid. If you are looking for
any of the IP related protocols then this does work on 3.0.7.10. When I use
a filter of - proto 0 it does not provide any records
racount -M proto -M addr -r * - ip
racount records total_pkts src_pkts dst_pkts
total_bytes src_bytes dst_bytes
sum 2896 13853 7739 6114 4833073
1107119 3725954
Protocol Summary
icmp 95 296 296 0 40960
40960 0
igmp 354 354 354 0 22656
22656 0
tcp 1172 10855 5375 5480 3983163
443295 3539868
udp 1252 2291 1657 634 775907
589821 186086
ipv6 12 24 24 0 2064
2064 0
udp 3 4 4 0 1914
1914 0
udp 7 29 29 0 6409
6409 0
Address Summary
IPv4 Unicast src 1 dst 45
IPv4 Unicast This Network src 1 dst 1
IPv4 Unicast Private src 18 dst 8
IPv4 Unicast Reserved src 1 dst 24
IPv4 Multicast Local src 0 dst 4
IPv4 Multicast Internet src 0 dst 2
IPv4 Multicast Reserved src 0 dst 1
IPv4 Multicast SiteLocal src 0 dst 1
IPv6 LinkLocal src 10 dst 0
IPv6 Multicast Link Local src 0 dst 10
From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
<mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu>
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
<mailto:info-bounces+dedelman=iname.com at lists.andrew.cmu.edu> ] On Behalf Of
Jesse Bowling
Sent: Thursday, June 20, 2013 2:53 PM
To: argus-info
Subject: [ARGUS] Proto 0 not displaying in ra
Hi,
So I started with an racount:
# racount -M proto -M addr -r 6-18-13.argus
<snip>
racount records total_pkts src_pkts dst_pkts
total_bytes src_bytes dst_bytes
0 1148 6377 6377 0 2710225
2710225 0
</snip>
I found that interesting so I wanted to look at the original records:
# ra -r 6-18-13.argus - proto 0
#
I'm using 3.0.7.9, and this appears to be a bug...Let me know if I can help
debug...
Cheers,
Jesse
--
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130624/683f95cd/attachment.html>
More information about the argus
mailing list