Displaying / filtering IPv6 ICMP types and codes

Ken Welker kwelker at vt.edu
Mon Aug 3 13:25:43 EDT 2015 

Hi Carter,

Thanks for your quick reply.

For displaying, the numeric Type/Code could be listed the same as in 
IPv4 (in the Sport field; Dport in IPv4 is the ICMP sequence number, 
right?).  Even better, perhaps add something like 'icmp-type' and 
'icmp-code' to the list of fields that can be printed with the '-s' 
option. (This might be useful in IPv4 as well.)

To update the simple example,

ra -c, -r argus_file.gz -s stime flgs proto saddr daddr icmp-type icmp-code pkts bytes - proto ipv6-icmp

could give the following

StartTime,Flgs,Proto,SrcAddr,Dir,DstAddr,IcmpType,IcmpCode,TotPkts,TotBytes
22:59:02.021047, e ,ipv6-icmp,2001:db8::1111,<->,2001:db8::5555,128,0,3,354
...



For filter, I'd like to be able to use a filter like " - ipv6-icmp and 
icmp-type 128", as well as  " - ipv6-icmp and icmp-type 128 and ! 
icmp-code 0", where it should be allowed to specify any numeric value in 
the legal range, regardless of whether it's defined.  (Of course, icmp 
type 128 (echo-request) only has code 0 defined, so all other codes 
would be anomalous and potentially suspicious.)  These filter options 
may be useful for IPv4 too.

Adding the ability to alternately specify filter values as text, perhaps 
like " - ipv6-icmp and icmp-type destination-unreachable and icmp-code 
port-unreachable" may improve readability, but the numeric values would 
be the more flexible method.

I'll work to get some anonymized flows sent to you directly.

-Ken

Ken Welker
kwelker at vt.edu
540-231-0635

On 8/3/2015 11:59 AM, Carter Bullard wrote:
> Hey Ken,
> Argus has been doing the V6 thing for an amazingly long time, the first implementations being done before some of the ICMP messages were created.  We haven’t put a lot of effort into V6 because there has not been that much dialog around it, so the implementation is not complete.
>
> OK, with that said, the type and code fields are in the flow record, but there maybe some gaps in how those are aggregated, processed and printed.  Which we can and will fix.
>
> So, can you give me some specifics on what is needed ??  Do you have any records where you know what they should print, and how you would want them printed ???  Can you share the argus file of those records ??  That way we can have something concrete to talk about ….
>
> Sorry for any inconvenience,
>
> Carter
>
>> On Aug 3, 2015, at 11:42 AM, Ken Welker <kwelker at vt.edu> wrote:
>>
>> Hi!  I'm using argus to explore options for analyzing IPv6 flows, and am having trouble figuring out how to display all ipv6-icmp Types and Codes.  The default display shows the Type in the Sport field, and a text summary code in the State field.  Perhaps the Code is included in the Dport field, but it always seems to be 0.
>>
>> Simple example:
>> ra -c, -r argus_file.gz - proto ipv6-icmp
>>
>> gives the following
>>
>> StartTime,Flgs,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,TotPkts,TotBytes,State
>> 22:59:02.021047, e ,ipv6-icmp,2001:db8::1111,128,<->,2001:db8::5555,0,3,354,ECO
>> ...
>>
>> While the State field summarizes many of the type/code combinations, it doesn't cover them all, especially rare or undefined combinations.  IPv6 use is increasing, and since ICMPv6 plays such a central role, it's likely that anomalous ICMPv6 traffic will increase as well.
>>
>> Is it possible to display and/or filter on all numeric ICMPv6 Types and Codes?  If not, may this be added?
>>
>> Thank you!
>>
>> -Ken
>>
>> -- 
>> Ken Welker
>> kwelker at vt.edu
>>
>>

More information about the argus mailing list