argus ppp teredo

CS Lee geek00l at gmail.com
Wed Apr 30 22:26:24 EDT 2014 

hi Carter,

After I have applied the patch argus able to parse the Teredo.pcap without
problem, however it only shows it is ppp encapsulation as indicated in flgs
- p

ra -nr Teredo.arg3 -s saddr sport daddr dport proto flgs
94.197.69.162.49348         83.170.6.76.3544      udp  p
     94.197.69.162.49348         83.170.6.76.3544      udp  p
     94.197.69.162.49348         83.170.6.76.3544      udp  p
     94.197.69.162.49348         83.170.6.76.3544      udp  p
     94.197.69.162.49348         83.170.6.76.3544      udp  p
       83.170.6.77.3544        94.197.69.162.49348     udp  p
     94.197.69.162.49348         83.170.6.76.3544      udp  p
     94.197.69.162.49348         83.170.6.76.3544      udp  p
     94.197.69.162.49348         83.170.6.76.3544      udp  p

While we do know it is teredo tunnel by looking at port 3544, the ipv6 over
udp is not tracked, I dig deeper by running the following command -

ra -M printer='hex' -nr Teredo.arg3 -s saddr sport daddr dport suser:64
duser:64

     94.197.69.162.49348         83.170.6.76.3544
      0x0000     0001 0000 1194 91ce 36ef c9d4 0060 0000
........6....`..
      0x0010     0000 083a fffe 8000 0000 0000 0080 0054
...:...........T
      0x0020     4552 4544 4fff 0200 0000 0000 0000 0000
EREDO...........
      0x0030     0000 0000 0285 0012 5d00 0000 0000 0100
........].......

      0x0000     0001 0000 8702 0758 a079 5f42 0000 003f
.......X.y_B...?
      0x0010     3ba1 3aba 5d60 0000 0000 383a fffe 8000
;.:.]`....8:....
      0x0020     0000 0000 0080 00f2 27ac 55f9 b3fe 8000
........'.U.....
      0x0030     0000 0000 0000 00ff ffff ffff ff86 0095
................

       83.170.6.77.3544        94.197.69.162.49348
      0x0000     0001 0000 1194 91ce 36ef c9d4 0000 003f
........6......?
      0x0010     3ba1 3aba 5d60 0000 0000 383a fffe 8000
;.:.]`....8:....
      0x0020     0000 0000 0080 00f2 27ac 55f9 b3fe 8000
........'.U.....
      0x0030     0000 0000 0080 0054 4552 4544 4f86 002a
.......TEREDO..*

      0x0000     0001 0000 9624 55da 052e da15 0060 0000
.....$U......`..
      0x0010     0000 083a fffe 8000 0000 0000 0000 00ff
...:............
      0x0020     ffff ffff ffff 0200 0000 0000 0000 0000
................
      0x0030     0000 0000 0285 007d 3700 0000 00
.......}7....

So the teredo and ipv6 header is shown and we can see ipv6 addresses in the
user data

I checked in the mailing list and you have mentioned about the teredo
tunnel parsing here -

http://article.gmane.org/gmane.network.argus/6785/match=teredo

Maybe you should implement the address array like you mentioned in the
mailing list such as

ra -r file -s srcid saddr[2] daddr[2] proto[2] pkts bytes

You mentioned about gre tunneling tracking as well, I recalled last time I
have similar problem to track that with argus and  maybe address array is
the solution or anyone in mailing list has better idea?


-- 

Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.com.my
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140501/8963eb72/attachment.html>

More information about the argus mailing list