regarding ipv6
James Grace
jgrac002 at fiu.edu
Fri May 23 10:16:31 EDT 2014
Thanks a bunch, Carter, does Argus store, or have the capability to, the
full 128bit record of an IPv6 address? I'd like to be able to use ralabel
to assign ASNs to v6 records, but it's having difficulty with the truncated
addresses.
Thanks much for all the help!
-james
On Wed, May 21, 2014 at 6:06 PM, Carter Bullard <carter at qosient.com> wrote:
> Oh, and if you supply an ipv6 address in a filter,
> you’ll find that we realize we’re working with ipv6
> and do the right thing.
>
> So first this first example passes an ipv6 address.
> We’ll grab the flow DSR (dsr[1]) and grab the second
> byte in the header and try to find out if its ipv6
> (0x02). Then we build a big ole 128 bit ipv6 address
> to match.
>
> thoth:~ carter$ ra -b - src host 1::16
> (000) ldb dsr[1][2]
> (001) and #31
> (002) jeq #0x2 jt 3 jf 11
> (003) ld dsr[1][16]
> (004) jeq #0x16000000 jt 5 jf 15
> (005) ld dsr[1][12]
> (006) jeq #0x0 jt 7 jf 15
> (007) ld dsr[1][8]
> (008) jeq #0x0 jt 9 jf 15
> (009) ld dsr[1][4]
> (010) jeq #0x100 jt 14 jf 15
> (011) jeq #0x4 jt 12 jf 15
> (012) ld dsr[1][12]
> (013) jeq #0x100 jt 14 jf 15
> (014) ret #150
> (015) ret #0
>
>
> Here 0x01 is the bit indicator for ipv4, and, we load
> up the address. In this case we’re looking for the
> address in arp and in standard ip flows.
>
> thoth:~ carter$ ra -b - src host 1.2.3.4
> (000) ldb dsr[1][2]
> (001) and #31
> (002) jeq #0x1 jt 3 jf 5
> (003) ld dsr[1][4]
> (004) jeq #0x1020304 jt 8 jf 9
> (005) jeq #0x4 jt 6 jf 9
> (006) ld dsr[1][12]
> (007) jeq #0x1020304 jt 8 jf 9
> (008) ret #150
> (009) ret #0
>
>
>
>
> On May 21, 2014, at 5:58 PM, Carter Bullard <carter at qosient.com> wrote:
>
> > Hey James,
> > We don’t make a big distinction between ipv4 and ipv6.
> > you can always filter on ipv6 by using the filter “ ipv6 “.
> >
> > ra -S localhost - ipv6
> >
> > Aggregation works well, longest prefix match works and CIDR
> > works, but they are literal operators, so if you do saddr/64
> > on an IPv6 address, it should do the right thing, not sure
> > it would be what you wanted …
> >
> > There is a distinction between ‘icmp’ and ‘icmp-v6’ as filters,
> > so a filter like " icmp and ipv6 “ would return nada, as there
> > won’t be any matches.
> >
> > Carter
> >
> > On May 21, 2014, at 3:25 PM, James Grace <jgrac002 at fiu.edu> wrote:
> >
> >> Hi,
> >>
> >> I have argus purring along smoothly and was wondering if there were
> filters built in or methods others are using to report on ipv6 traffic
> solely. I don't see anything in the man pages and the gmane search function
> is busted so I'm unable to look around on the list archives.
> >>
> >> Cheers,
> >> -james
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140523/3b1f7ec4/attachment.html>
More information about the argus
mailing list