Proto 0 not displaying in ra

Mon Jun 24 20:38:03 EDT 2013

Hi Carter,

I have some data that I can use to test the "- ip" filter on, and for
testing if necessary...I'll have to get it to you later as I'm unable to
access it at the moment.

Cheers,

Jesse

On Mon, Jun 24, 2013 at 7:46 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Dave,
> So I mentioned in my earlier email that IPv6 options will never
> find their way into our protocol field(s).  I have no idea why
> IANA includes an IPv6 option as a protocol.  It must be an error?
>
> So the zero pseudo protocol IP number, I'm not sure that that
> is possible to send a packet with a zero in the IP protocol field.
> IPinIP uses 4, so, not sure what it would mean for a router or
> an end system to get a packet with a zero as the next header.
>
> For us, I believe that racount() maybe reporting on ARP flows as
> having a protocol of 0, as we play some games with ARP/RARP flows,
> when we aggregate them.
>
> I'll try to look into it later tonight.
> Jesse, have any data I can use that generates the error?
>
> Carter
>
>
>
> On Jun 24, 2013, at 6:24 PM, "David Edelman" <dedelman at iname.com> wrote:
>
> Carter,****
>
> For at least some versions of Linux, the /etc/protocols file does have an
> entry for protocol 0. In fact, some might include two entries (this example
> is from Fedora Core 18):****
> * *
> # Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).****
> # Last IANA update included dated 2011-05-03****
> #****
> # See also http://www.iana.org/assignments/protocol-numbers****
>
> ip      0       IP              # internet protocol, pseudo protocol
> number****
> hopopt  0       HOPOPT          # hop-by-hop options for ipv6****
> icmp    1       ICMP            # internet control message protocol****
> igmp    2       IGMP            # internet group management protocol****
> ggp     3       GGP             # gateway-gateway protocol****
> 8< ------------------------ snip
> ----------------------------------------------****
>
>
> I’m not sure that the hopopt entry isn’t causing some confusion
> especially if there is nothing is indicate IPv4 / IPv6 in the filter
> expression.****
>
> --Dave****
>
> *From:* Carter Bullard [mailto:carter at qosient.com]
> *Sent:* Monday, June 24, 2013 10:58 AM
> *To:* David Edelman
> *Cc:* 'Jesse Bowling'; 'argus-info'
> *Subject:* Re: [ARGUS] Proto 0 not displaying in ra****
> ** **
> Hey Jesse, David,****
> The proto 0 should be an argus artifact, an internal protocol****
> number so that we can process L2 and L3 protocol numbers****
> in the same code set, so you shouldn't see that.****
>
> Zero should be illegal for L2 and L3. We make a distinction****
> between IPv6 options and the next header protocol number.****
>
> Very curious that IANA doesn't make that distinction.  That****
> seems like an error.****
>
> David is right, with an " - ip " filter, does it go away?****
> Got some data you can share that generates the error, so I****
> can check it out?****
>
> Carter****
>
>
> On Jun 20, 2013, at 8:49 PM, "David Edelman" <dedelman at iname.com> wrote:**
> **
>
>
> ****
>
> Jesse,****
>  ****
> I’m not sure that  your filter expression is valid. If you are looking
> for any of the IP related protocols then this does work on 3.0.7.10.  When
> I use a  filter of – proto 0  it does not provide any records****
>  ****
> racount -M proto -M addr -r * - ip****
> racount   records     total_pkts     src_pkts       dst_pkts
> total_bytes        src_bytes          dst_bytes****
>     sum   2896        13853          7739
> 6114          4833073            1107119            3725954****
> Protocol Summary****
>    icmp   95          296            296
> 0             40960              40960              0****
>    igmp   354         354            354
> 0             22656              22656              0****
>     tcp   1172        10855          5375
> 5480          3983163            443295             3539868****
>     udp   1252        2291           1657
> 634           775907             589821             186086****
>    ipv6   12          24             24
> 0             2064               2064               0****
>     udp   3           4              4
> 0             1914               1914               0****
>     udp   7           29             29
> 0             6409               6409               0****
> Address Summary****
>   IPv4 Unicast              src 1           dst 45****
>   IPv4 Unicast This Network src 1           dst 1****
>   IPv4 Unicast Private      src 18          dst 8****
>   IPv4 Unicast Reserved     src 1           dst 24****
>   IPv4 Multicast Local      src 0           dst 4****
>   IPv4 Multicast Internet   src 0           dst 2****
>   IPv4 Multicast Reserved   src 0           dst 1****
>   IPv4 Multicast SiteLocal  src 0           dst 1****
>   IPv6 LinkLocal            src 10          dst 0****
>   IPv6 Multicast Link Local src 0           dst 10****
>  ****
> *From:* argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] *On
> Behalf Of *Jesse Bowling
> *Sent:* Thursday, June 20, 2013 2:53 PM
> *To:* argus-info
> *Subject:* [ARGUS] Proto 0 not displaying in ra****
>  ****
>
> Hi,****
> So I started with an racount:
>
> # racount -M proto -M addr -r 6-18-13.argus****
> <snip>
> racount   records     total_pkts     src_pkts       dst_pkts
> total_bytes        src_bytes          dst_bytes
>       0   1148        6377           6377           0
> 2710225            2710225            0****
>
> </snip>****
> I found that interesting so I wanted to look at the original records:
>
> # ra -r 6-18-13.argus - proto 0
> #
> ****
>  ****
>
> I'm using 3.0.7.9, and this appears to be a bug...Let me know if I can
> help debug...
>
> Cheers,****
> Jesse****
>
> --
> Jesse Bowling****
>
>
>

-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130624/ee8b78a0/attachment.html>