Proto 0 not displaying in ra

Carter Bullard carter at qosient.com
Mon Jun 24 19:46:11 EDT 2013 

Hey Dave,
So I mentioned in my earlier email that IPv6 options will never
find their way into our protocol field(s).  I have no idea why
IANA includes an IPv6 option as a protocol.  It must be an error?

So the zero pseudo protocol IP number, I'm not sure that that
is possible to send a packet with a zero in the IP protocol field.
IPinIP uses 4, so, not sure what it would mean for a router or
an end system to get a packet with a zero as the next header.

For us, I believe that racount() maybe reporting on ARP flows as
having a protocol of 0, as we play some games with ARP/RARP flows,
when we aggregate them.

I'll try to look into it later tonight.
Jesse, have any data I can use that generates the error?

Carter



On Jun 24, 2013, at 6:24 PM, "David Edelman" <dedelman at iname.com> wrote:

> Carter,
>  
> For at least some versions of Linux, the /etc/protocols file does have an entry for protocol 0. In fact, some might include two entries (this example is from Fedora Core 18):
>  
> # Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).
> # Last IANA update included dated 2011-05-03
> #
> # See also http://www.iana.org/assignments/protocol-numbers
>  
> ip      0       IP              # internet protocol, pseudo protocol number
> hopopt  0       HOPOPT          # hop-by-hop options for ipv6
> icmp    1       ICMP            # internet control message protocol
> igmp    2       IGMP            # internet group management protocol
> ggp     3       GGP             # gateway-gateway protocol
> 8< ------------------------ snip ----------------------------------------------
>  
>  
> I’m not sure that the hopopt entry isn’t causing some confusion especially if there is nothing is indicate IPv4 / IPv6 in the filter expression.
>  
> --Dave
>  
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Monday, June 24, 2013 10:58 AM
> To: David Edelman
> Cc: 'Jesse Bowling'; 'argus-info'
> Subject: Re: [ARGUS] Proto 0 not displaying in ra
>  
> Hey Jesse, David,
> The proto 0 should be an argus artifact, an internal protocol
> number so that we can process L2 and L3 protocol numbers
> in the same code set, so you shouldn't see that.
>  
> Zero should be illegal for L2 and L3. We make a distinction
> between IPv6 options and the next header protocol number.
>  
> Very curious that IANA doesn't make that distinction.  That
> seems like an error.
>  
> David is right, with an " - ip " filter, does it go away?
> Got some data you can share that generates the error, so I
> can check it out?
>  
> Carter
>  
>  
> On Jun 20, 2013, at 8:49 PM, "David Edelman" <dedelman at iname.com> wrote:
> 
> 
> Jesse,
>  
> I’m not sure that  your filter expression is valid. If you are looking for any of the IP related protocols then this does work on 3.0.7.10.  When I use a  filter of – proto 0  it does not provide any records
>  
> racount -M proto -M addr -r * - ip
> racount   records     total_pkts     src_pkts       dst_pkts      total_bytes        src_bytes          dst_bytes
>     sum   2896        13853          7739           6114          4833073            1107119            3725954
> Protocol Summary
>    icmp   95          296            296            0             40960              40960              0
>    igmp   354         354            354            0             22656              22656              0
>     tcp   1172        10855          5375           5480          3983163            443295             3539868
>     udp   1252        2291           1657           634           775907             589821             186086
>    ipv6   12          24             24             0             2064               2064               0
>     udp   3           4              4              0             1914               1914               0
>     udp   7           29             29             0             6409               6409               0
> Address Summary
>   IPv4 Unicast              src 1           dst 45
>   IPv4 Unicast This Network src 1           dst 1
>   IPv4 Unicast Private      src 18          dst 8
>   IPv4 Unicast Reserved     src 1           dst 24
>   IPv4 Multicast Local      src 0           dst 4
>   IPv4 Multicast Internet   src 0           dst 2
>   IPv4 Multicast Reserved   src 0           dst 1
>   IPv4 Multicast SiteLocal  src 0           dst 1
>   IPv6 LinkLocal            src 10          dst 0
>   IPv6 Multicast Link Local src 0           dst 10
>  
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Jesse Bowling
> Sent: Thursday, June 20, 2013 2:53 PM
> To: argus-info
> Subject: [ARGUS] Proto 0 not displaying in ra
>  
> Hi,
> 
> So I started with an racount:
> 
> # racount -M proto -M addr -r 6-18-13.argus
> <snip>
> racount   records     total_pkts     src_pkts       dst_pkts       total_bytes        src_bytes          dst_bytes
>       0   1148        6377           6377           0              2710225            2710225            0
> </snip>
> 
> I found that interesting so I wanted to look at the original records:
> 
> # ra -r 6-18-13.argus - proto 0
> #
>  
> I'm using 3.0.7.9, and this appears to be a bug...Let me know if I can help debug...
> 
> Cheers,
> 
> Jesse
> -- 
> Jesse Bowling
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130624/46d414af/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130624/46d414af/attachment.bin>

More information about the argus mailing list