argus ppp teredo
CS Lee
geek00l at gmail.com
Wed Apr 30 22:26:24 EDT 2014
hi Carter,
After I have applied the patch argus able to parse the Teredo.pcap without
problem, however it only shows it is ppp encapsulation as indicated in flgs
- p
ra -nr Teredo.arg3 -s saddr sport daddr dport proto flgs
94.197.69.162.49348 83.170.6.76.3544 udp p
94.197.69.162.49348 83.170.6.76.3544 udp p
94.197.69.162.49348 83.170.6.76.3544 udp p
94.197.69.162.49348 83.170.6.76.3544 udp p
94.197.69.162.49348 83.170.6.76.3544 udp p
83.170.6.77.3544 94.197.69.162.49348 udp p
94.197.69.162.49348 83.170.6.76.3544 udp p
94.197.69.162.49348 83.170.6.76.3544 udp p
94.197.69.162.49348 83.170.6.76.3544 udp p
While we do know it is teredo tunnel by looking at port 3544, the ipv6 over
udp is not tracked, I dig deeper by running the following command -
ra -M printer='hex' -nr Teredo.arg3 -s saddr sport daddr dport suser:64
duser:64
94.197.69.162.49348 83.170.6.76.3544
0x0000 0001 0000 1194 91ce 36ef c9d4 0060 0000
........6....`..
0x0010 0000 083a fffe 8000 0000 0000 0080 0054
...:...........T
0x0020 4552 4544 4fff 0200 0000 0000 0000 0000
EREDO...........
0x0030 0000 0000 0285 0012 5d00 0000 0000 0100
........].......
0x0000 0001 0000 8702 0758 a079 5f42 0000 003f
.......X.y_B...?
0x0010 3ba1 3aba 5d60 0000 0000 383a fffe 8000
;.:.]`....8:....
0x0020 0000 0000 0080 00f2 27ac 55f9 b3fe 8000
........'.U.....
0x0030 0000 0000 0000 00ff ffff ffff ff86 0095
................
83.170.6.77.3544 94.197.69.162.49348
0x0000 0001 0000 1194 91ce 36ef c9d4 0000 003f
........6......?
0x0010 3ba1 3aba 5d60 0000 0000 383a fffe 8000
;.:.]`....8:....
0x0020 0000 0000 0080 00f2 27ac 55f9 b3fe 8000
........'.U.....
0x0030 0000 0000 0080 0054 4552 4544 4f86 002a
.......TEREDO..*
0x0000 0001 0000 9624 55da 052e da15 0060 0000
.....$U......`..
0x0010 0000 083a fffe 8000 0000 0000 0000 00ff
...:............
0x0020 ffff ffff ffff 0200 0000 0000 0000 0000
................
0x0030 0000 0000 0285 007d 3700 0000 00
.......}7....
So the teredo and ipv6 header is shown and we can see ipv6 addresses in the
user data
I checked in the mailing list and you have mentioned about the teredo
tunnel parsing here -
http://article.gmane.org/gmane.network.argus/6785/match=teredo
Maybe you should implement the address array like you mentioned in the
mailing list such as
ra -r file -s srcid saddr[2] daddr[2] proto[2] pkts bytes
You mentioned about gre tunneling tracking as well, I recalled last time I
have similar problem to track that with argus and maybe address array is
the solution or anyone in mailing list has better idea?
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
http://defcraft.com.my
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140501/8963eb72/attachment.html>
More information about the argus
mailing list