Displaying / filtering IPv6 ICMP types and codes
Carter Bullard
carter at qosient.com
Mon Aug 3 11:59:08 EDT 2015
Hey Ken,
Argus has been doing the V6 thing for an amazingly long time, the first implementations being done before some of the ICMP messages were created. We haven’t put a lot of effort into V6 because there has not been that much dialog around it, so the implementation is not complete.
OK, with that said, the type and code fields are in the flow record, but there maybe some gaps in how those are aggregated, processed and printed. Which we can and will fix.
So, can you give me some specifics on what is needed ?? Do you have any records where you know what they should print, and how you would want them printed ??? Can you share the argus file of those records ?? That way we can have something concrete to talk about ….
Sorry for any inconvenience,
Carter
> On Aug 3, 2015, at 11:42 AM, Ken Welker <kwelker at vt.edu> wrote:
>
> Hi! I'm using argus to explore options for analyzing IPv6 flows, and am having trouble figuring out how to display all ipv6-icmp Types and Codes. The default display shows the Type in the Sport field, and a text summary code in the State field. Perhaps the Code is included in the Dport field, but it always seems to be 0.
>
> Simple example:
> ra -c, -r argus_file.gz - proto ipv6-icmp
>
> gives the following
>
> StartTime,Flgs,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,TotPkts,TotBytes,State
> 22:59:02.021047, e ,ipv6-icmp,2001:db8::1111,128,<->,2001:db8::5555,0,3,354,ECO
> ...
>
> While the State field summarizes many of the type/code combinations, it doesn't cover them all, especially rare or undefined combinations. IPv6 use is increasing, and since ICMPv6 plays such a central role, it's likely that anomalous ICMPv6 traffic will increase as well.
>
> Is it possible to display and/or filter on all numeric ICMPv6 Types and Codes? If not, may this be added?
>
> Thank you!
>
> -Ken
>
> --
> Ken Welker
> kwelker at vt.edu
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150803/ff364707/attachment.bin>
More information about the argus
mailing list