Displaying / filtering IPv6 ICMP types and codes

Carter Bullard carter at qosient.com
Mon Aug 3 14:19:50 EDT 2015 

Hey Ken,
The list of v4 ICMP keywords we use in the filters today, such as unreach, are basically from the list of types from IANA.  Are the ICMPv6 types fundamentally different ???  Someone will need to become the IPv6 ICMP expert if we intend to do a good job at this.  Are you willing ???
Carter



> On Aug 3, 2015, at 1:25 PM, Ken Welker <kwelker at vt.edu> wrote:
> 
> Hi Carter,
> 
> Thanks for your quick reply.
> 
> For displaying, the numeric Type/Code could be listed the same as in IPv4 (in the Sport field; Dport in IPv4 is the ICMP sequence number, right?).  Even better, perhaps add something like 'icmp-type' and 'icmp-code' to the list of fields that can be printed with the '-s' option. (This might be useful in IPv4 as well.)
> 
> To update the simple example,
> 
> ra -c, -r argus_file.gz -s stime flgs proto saddr daddr icmp-type icmp-code pkts bytes - proto ipv6-icmp
> 
> could give the following
> 
> StartTime,Flgs,Proto,SrcAddr,Dir,DstAddr,IcmpType,IcmpCode,TotPkts,TotBytes
> 22:59:02.021047, e ,ipv6-icmp,2001:db8::1111,<->,2001:db8::5555,128,0,3,354
> ...
> 
> 
> 
> For filter, I'd like to be able to use a filter like " - ipv6-icmp and icmp-type 128", as well as  " - ipv6-icmp and icmp-type 128 and ! icmp-code 0", where it should be allowed to specify any numeric value in the legal range, regardless of whether it's defined.  (Of course, icmp type 128 (echo-request) only has code 0 defined, so all other codes would be anomalous and potentially suspicious.)  These filter options may be useful for IPv4 too.
> 
> Adding the ability to alternately specify filter values as text, perhaps like " - ipv6-icmp and icmp-type destination-unreachable and icmp-code port-unreachable" may improve readability, but the numeric values would be the more flexible method.
> 
> I'll work to get some anonymized flows sent to you directly.
> 
> -Ken
> 
> Ken Welker
> kwelker at vt.edu
> 540-231-0635
> 
>> On 8/3/2015 11:59 AM, Carter Bullard wrote:
>> Hey Ken,
>> Argus has been doing the V6 thing for an amazingly long time, the first implementations being done before some of the ICMP messages were created.  We haven’t put a lot of effort into V6 because there has not been that much dialog around it, so the implementation is not complete.
>> 
>> OK, with that said, the type and code fields are in the flow record, but there maybe some gaps in how those are aggregated, processed and printed.  Which we can and will fix.
>> 
>> So, can you give me some specifics on what is needed ??  Do you have any records where you know what they should print, and how you would want them printed ???  Can you share the argus file of those records ??  That way we can have something concrete to talk about ….
>> 
>> Sorry for any inconvenience,
>> 
>> Carter
>> 
>>> On Aug 3, 2015, at 11:42 AM, Ken Welker <kwelker at vt.edu> wrote:
>>> 
>>> Hi!  I'm using argus to explore options for analyzing IPv6 flows, and am having trouble figuring out how to display all ipv6-icmp Types and Codes.  The default display shows the Type in the Sport field, and a text summary code in the State field.  Perhaps the Code is included in the Dport field, but it always seems to be 0.
>>> 
>>> Simple example:
>>> ra -c, -r argus_file.gz - proto ipv6-icmp
>>> 
>>> gives the following
>>> 
>>> StartTime,Flgs,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,TotPkts,TotBytes,State
>>> 22:59:02.021047, e ,ipv6-icmp,2001:db8::1111,128,<->,2001:db8::5555,0,3,354,ECO
>>> ...
>>> 
>>> While the State field summarizes many of the type/code combinations, it doesn't cover them all, especially rare or undefined combinations.  IPv6 use is increasing, and since ICMPv6 plays such a central role, it's likely that anomalous ICMPv6 traffic will increase as well.
>>> 
>>> Is it possible to display and/or filter on all numeric ICMPv6 Types and Codes?  If not, may this be added?
>>> 
>>> Thank you!
>>> 
>>> -Ken
>>> 
>>> -- 
>>> Ken Welker
>>> kwelker at vt.edu
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150803/d3431954/attachment.html>

More information about the argus mailing list