Displaying / filtering IPv6 ICMP types and codes
Ken Welker
kwelker at vt.edu
Mon Aug 3 11:42:01 EDT 2015
Hi! I'm using argus to explore options for analyzing IPv6 flows, and am
having trouble figuring out how to display all ipv6-icmp Types and
Codes. The default display shows the Type in the Sport field, and a
text summary code in the State field. Perhaps the Code is included in
the Dport field, but it always seems to be 0.
Simple example:
ra -c, -r argus_file.gz - proto ipv6-icmp
gives the following
StartTime,Flgs,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,TotPkts,TotBytes,State
22:59:02.021047, e
,ipv6-icmp,2001:db8::1111,128,<->,2001:db8::5555,0,3,354,ECO
...
While the State field summarizes many of the type/code combinations, it
doesn't cover them all, especially rare or undefined combinations. IPv6
use is increasing, and since ICMPv6 plays such a central role, it's
likely that anomalous ICMPv6 traffic will increase as well.
Is it possible to display and/or filter on all numeric ICMPv6 Types and
Codes? If not, may this be added?
Thank you!
-Ken
--
Ken Welker
kwelker at vt.edu
More information about the argus
mailing list