Did anyone already think about how to analyze MPTCP with Argus?

el draco eldraco at gmail.com
Thu Jul 31 10:13:59 EDT 2014


Thanks Carter.
So, we can look at the options to know MPTCP is being used and with
the user data we may analyze what we can get from all the flows that
are captured.
Nice to know argus can deal with it.
thanks!
sebas

On Thu, Jul 31, 2014 at 4:00 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Sebas,
> Argus will report the existence of all the TCP connections that
> exist, but it will not indicate that MTCP TCPs are related.
>
> Argus will report the use of the TCP option that is used to
> negotiate MTCP, so you’ll know that the TCPs are using MTCP,
> (TCP option kind 30) but you won’t know which ones are
> bound to which.
>
> So MTCP doesn’t break Argus.
>
> The Argus user data buffers between all the related TCPs will
> reveal the “stripping” effect that MTCP generates, so you
> will be able to figure it out, if your capturing user data.
>
> Carter
>
>
> On Jul 31, 2014, at 9:31 AM, el draco <eldraco at gmail.com> wrote:
>
>> Hi list.
>> Reading about next weekend BlackHat talk about MultiPath TCP protocols
>> breaking traffic inspection and trust models, I started wondering if
>> any of you though about how would Argus deal with this.
>>
>> I don't have any implementation yet, so I can not try it. There should
>> be a way to detect that MPTCP is at least being used right? If you can
>> not see the other 'new' flows... maybe you can detect that the
>> protocol seems to be broken but is not retransmitting? I'm imaging
>> some type of anomaly detection algorithm may be able to catch this.
>>
>> http://labs.neohapsis.com/2014/07/29/multipath-tcp-blackhat-briefings-teaser/
>>
>>
>> See you
>> sebas
>>
>



More information about the argus mailing list