Displaying / filtering IPv6 ICMP types and codes

Ken Welker kwelker at vt.edu
Tue Aug 4 09:09:46 EDT 2015 

Hey Carter,

ICMPv6 has some of the same names for types and codes, plus lots of new 
ones, and the numeric values are different; overall, I'd say things are 
fairly different.

I'd be happy to help out with this how I can, as time is available.

-Ken

Ken Welker
kwelker at vt.edu

On 8/3/2015 2:19 PM, Carter Bullard wrote:
> Hey Ken,
> The list of v4 ICMP keywords we use in the filters today, such as 
> unreach, are basically from the list of types from IANA.  Are the 
> ICMPv6 types fundamentally different ???  Someone will need to become 
> the IPv6 ICMP expert if we intend to do a good job at this.  Are you 
> willing ???
> Carter
>
>
> 	
> 	
>
>
> On Aug 3, 2015, at 1:25 PM, Ken Welker <kwelker at vt.edu 
> <mailto:kwelker at vt.edu>> wrote:
>
>> Hi Carter,
>>
>> Thanks for your quick reply.
>>
>> For displaying, the numeric Type/Code could be listed the same as in 
>> IPv4 (in the Sport field; Dport in IPv4 is the ICMP sequence number, 
>> right?).  Even better, perhaps add something like 'icmp-type' and 
>> 'icmp-code' to the list of fields that can be printed with the '-s' 
>> option. (This might be useful in IPv4 as well.)
>>
>> To update the simple example,
>>
>> ra -c, -r argus_file.gz -s stime flgs proto saddr daddr icmp-type 
>> icmp-code pkts bytes - proto ipv6-icmp
>>
>> could give the following
>>
>> StartTime,Flgs,Proto,SrcAddr,Dir,DstAddr,IcmpType,IcmpCode,TotPkts,TotBytes
>> 22:59:02.021047, e 
>> ,ipv6-icmp,2001:db8::1111,<->,2001:db8::5555,128,0,3,354
>> ...
>>
>>
>>
>> For filter, I'd like to be able to use a filter like " - ipv6-icmp 
>> and icmp-type 128", as well as  " - ipv6-icmp and icmp-type 128 and ! 
>> icmp-code 0", where it should be allowed to specify any numeric value 
>> in the legal range, regardless of whether it's defined.  (Of course, 
>> icmp type 128 (echo-request) only has code 0 defined, so all other 
>> codes would be anomalous and potentially suspicious.)  These filter 
>> options may be useful for IPv4 too.
>>
>> Adding the ability to alternately specify filter values as text, 
>> perhaps like " - ipv6-icmp and icmp-type destination-unreachable and 
>> icmp-code port-unreachable" may improve readability, but the numeric 
>> values would be the more flexible method.
>>
>> I'll work to get some anonymized flows sent to you directly.
>>
>> -Ken
>>
>> Ken Welker
>> kwelker at vt.edu <mailto:kwelker at vt.edu>
>> 540-231-0635
>>
>> On 8/3/2015 11:59 AM, Carter Bullard wrote:
>>> Hey Ken,
>>> Argus has been doing the V6 thing for an amazingly long time, the 
>>> first implementations being done before some of the ICMP messages 
>>> were created.  We haven’t put a lot of effort into V6 because there 
>>> has not been that much dialog around it, so the implementation is 
>>> not complete.
>>>
>>> OK, with that said, the type and code fields are in the flow record, 
>>> but there maybe some gaps in how those are aggregated, processed and 
>>> printed.  Which we can and will fix.
>>>
>>> So, can you give me some specifics on what is needed ??  Do you have 
>>> any records where you know what they should print, and how you would 
>>> want them printed ???  Can you share the argus file of those records 
>>> ??  That way we can have something concrete to talk about ….
>>>
>>> Sorry for any inconvenience,
>>>
>>> Carter
>>>
>>>> On Aug 3, 2015, at 11:42 AM, Ken Welker <kwelker at vt.edu 
>>>> <mailto:kwelker at vt.edu>> wrote:
>>>>
>>>> Hi!  I'm using argus to explore options for analyzing IPv6 flows, 
>>>> and am having trouble figuring out how to display all ipv6-icmp 
>>>> Types and Codes.  The default display shows the Type in the Sport 
>>>> field, and a text summary code in the State field.  Perhaps the 
>>>> Code is included in the Dport field, but it always seems to be 0.
>>>>
>>>> Simple example:
>>>> ra -c, -r argus_file.gz - proto ipv6-icmp
>>>>
>>>> gives the following
>>>>
>>>> StartTime,Flgs,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,TotPkts,TotBytes,State
>>>> 22:59:02.021047, e 
>>>> ,ipv6-icmp,2001:db8::1111,128,<->,2001:db8::5555,0,3,354,ECO
>>>> ...
>>>>
>>>> While the State field summarizes many of the type/code 
>>>> combinations, it doesn't cover them all, especially rare or 
>>>> undefined combinations.  IPv6 use is increasing, and since ICMPv6 
>>>> plays such a central role, it's likely that anomalous ICMPv6 
>>>> traffic will increase as well.
>>>>
>>>> Is it possible to display and/or filter on all numeric ICMPv6 Types 
>>>> and Codes?  If not, may this be added?
>>>>
>>>> Thank you!
>>>>
>>>> -Ken
>>>>
>>>> -- 
>>>> Ken Welker
>>>> kwelker at vt.edu <mailto:kwelker at vt.edu>
>>>>
>>>>
>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150804/892dd9bf/attachment.html>

More information about the argus mailing list