Help needed to interpret how flows are reported. Probably IPs are being swapped.

el draco eldraco at gmail.com
Thu Jun 4 14:25:54 EDT 2015 

Hi list.
I would want your opinion about an issue with argus flows. Sorry for
the long mail.

Analyzing the pcap file
https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-120-1/2015-04-22_capture-win4.pcap
I found some errors on how the flows are created.

The issue can be seen with the packets coming from IP 10.0.2.104
source port 49227 to IP 147.32.83.57 dst port 5552. In the file there
are two conversations with this combination of ips and ports, because
the IP 10.0.2.104 at some point  re-uses the source port 49227 to
start a new conversation. I'm attaching an image of how wireshark sees
these two conversations.

The problem appears when we analyze it with argus.
First, lest force argus to give us the correct answer. We should
execute it with a large ARGUS_FLOW_STATUS_INTERVAL, such as 999999.

Correct Example 1:
argus -S 999999 -r 2015-04-22_capture-win4.pcap -w - "host 10.0.2.104
and port 49227 and host 147.32.83.57 and port 5552"|ra -n -r - -Z b
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes
1970/01/01 02:00:17.462571,576654.812500,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,SRPA_SPA,0,0,12015,819080
1970/01/07 18:11:12.286232,1078.610596,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,FSPA_FSPA,0,0,2752,435776

This is consistent with what wireshark said. Even the packet count and
byte count. The only difference is in the duration of the first flow,
that is longer for argus and may be related with the problem I'm
discussing.

Now the strange part comes when we use another STATUS INTERVAL, such
as 99999 (I found it by using 3600):

Strange Example 2:
argus -S 99999 -r 2015-04-22_capture-win4.pcap -w - "host 10.0.2.104
and port 49227 and host 147.32.83.57 and port 5552"|ra -n -r - -Z b
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes
1970/01/01 02:00:17.462571,99992.859375,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,SPA_SPA,0,0,5110,428506
1970/01/02 05:47:05.320456,99218.054688,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,PA_PA,0,0,4851,268422
1970/01/03 09:44:35.110556,39320.703125,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_RPA,0,0,2054,122152              <- Strange
flow
1970/01/07 18:11:12.286232,1078.610596,tcp,10.0.2.104,49.227,
->,147.32.83.57,5552,FSPA_FSPA,0,0,2752,435776

The problem here is that one of the flows reported has the source IP
address and the destination IP address changed!. It seems that it is
one of the REPORTED flows in the middle of the conversation that was
printed because the STATUS INTERVAL expired. Note that the second
_real_ flow (starting at 18:11:12.286232) was printed correctly

Actually all the _reported_ flows in the middle have this error. For
example a STATUS INTERVAL of 59999 produces:

Strange Example 3:
argus -S 59999 -r 2015-04-22_capture-win4.pcap -w - "host 10.0.2.104
and port 49227 and host 147.32.83.57 and port 5552"|ra -n -r - -Z b
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes
1970/01/01 02:00:17.462571,59936.800781,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,SPA_SPA,0,0,3286,327578
1970/01/01 19:03:04.777008,58765.035156,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,2862,158364           <- Changed
1970/01/02 11:46:17.851689,59764.582031,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,2958,163676           <- Changed
1970/01/03 04:46:11.011105,57224.800781,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_RPA,0,0,2909,169462         <- Changed
1970/01/07 18:11:12.286232,1078.610596,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,FSPA_FSPA,0,0,2752,435776


Moreover, if we keep decreasing the STATUS INTERVAL, to 19999 for
example, we can see that the _firsts_ reported flows are correctly
printed, but then something happens and they start to be reported with
the IP swapped. Please see the difference between the second and third
flow in the following example.

Strange example 4:
argus -S 19999 -r 2015-04-22_capture-win4.pcap -w - "host 10.0.2.104
and port 49227 and host 147.32.83.57 and port 5552"|ra -n -r - -Z b
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes
1970/01/01 02:00:17.462571,19988.533203,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,SPA_SPA,0,0,1285,216856
1970/01/01 07:33:41.002302,19212.013672,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,PA_PA,0,0,948,52456               <- Last good
reported flow
1970/01/01 13:17:40.348905,19293.916016,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,1053,58266           <- First swapped
reported flow
1970/01/01 19:03:04.777008,19990.382812,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,1005,55610
1970/01/02 00:36:30.162685,19010.492188,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,900,49800
1970/01/02 06:17:08.524192,19989.390625,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,1008,55776
1970/01/02 11:50:32.922748,19977.240234,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,996,55112
1970/01/02 17:47:18.393173,19997.363281,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,1005,55610
1970/01/02 23:20:50.759786,19970.878906,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,999,55278
1970/01/03 05:17:30.232128,19984.367188,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,996,55112
1970/01/03 10:50:49.603860,19057.427734,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_PA,0,0,999,55278
1970/01/03 16:32:15.983657,14859.828125,tcp,147.32.83.57,5552,
<?>,10.0.2.104,49227,PA_RPA,0,0,821,53926
1970/01/07 18:11:12.286232,1078.610596,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,FSPA_FSPA,0,0,2752,435776

I confirm the error because there are NO starting connections from 147.32.83.57:
$ tcpdump -n -s0 -r 2015-04-22_capture-win4.pcap src host 147.32.83.57
and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) ==
0"
reading from file 2015-04-22_capture-win4.pcap, link-type EN10MB (Ethernet)
(no output)
And there are 386 connections started from 10.0.2.104:
$ tcpdump -n -s0 -r 2015-04-22_capture-win4.pcap src host 10.0.2.104
and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) ==
0" | wc -l
reading from file 2015-04-22_capture-win4.pcap, link-type EN10MB (Ethernet)
386



There is something even more strange. If we create a new pcap file
with only these packets, then the problem disappears.
1- tcpdump -n -s0 -r 2015-04-22_capture-win4.pcap host 10.0.2.104 and
port 49227 and host 147.32.83.57 and port 5552 -w
test-two-connections.pcap
2- argus -S 99999 -r test-two-connections.pcap -w - "host 10.0.2.104
and port 49227 and host 147.32.83.57 and port 5552"|ra -n -r - -Z b
StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes
1970/01/01 02:00:17.462571,99992.859375,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,SPA_SPA,0,0,5110,428506
1970/01/02 05:47:05.320456,99218.054688,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,PA_PA,0,0,4851,268422
1970/01/03 09:44:35.110556,39320.703125,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,RPA_PA,0,0,2054,122152
1970/01/07 18:11:12.286232,1078.610596,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,FSPA_FSPA,0,0,2752,435776

It seems that the problem is in how the original pcap file was created
or a combination of packets and flows. I'm attaching this second pcap
file for you.


If I push the STATUS INTERVAL to be very small (0.0001), we can find
the first real swapped flow:
1970/01/01 02:10:45.954851,0.000000,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,PA_,0,0,1,56         <- Good flow
1970/01/01 02:10:45.954957,0.000000,tcp,10.0.2.104,49227,
->,147.32.83.57,5552,_A,0,0,1,54         <- Good flow
1970/01/01 02:14:24.224735,0.000000,tcp,147.32.83.57,5552,
?>,10.0.2.104,49227,PA_,0,,1,74         <- Swapped flow
1970/01/01 02:14:24.225052,0.000000,tcp,147.32.83.57,5552,
?>,10.0.2.104,49227,PA_,0,,1,72         <- Swapped flow
1970/01/01 02:14:24.225161,0.000000,tcp,147.32.83.57,5552,
<?,10.0.2.104,49227,_A,0,0,1,54         <- Swapped flow

it seems here like if argus is confused about the direction of the
flow. In the first swapped flow the direction is ?> and then even <?
or <?>.

Just for the sake of completeness, the first packet that is swapped in
the pcap file seems to be
4407 846.762164 147.32.83.57 5552 10.0.2.104 49227 TCP 74 5552→49227
[PSH, ACK] Seq=9928 Ack=10145 Win=65535 Len=20
Packet number 4407 in the pcap file, started 846.762164 seconds after
THAT TCP connection was created (I put the ref time in the first SYN
of that connection).


Do you have any idea what can be happening?
Thanks for your time
Sebas
pd) Argus Version 3.0.8.1
Ra Version 3.0.8


-- 
https://pgp.mit.edu/pks/lookup?op=get&search=0x9D9A358CA10F1601
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wireshark-conversations-2.png
Type: image/png
Size: 18667 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150604/7ba9fbac/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-two-connections.pcap
Type: application/vnd.tcpdump.pcap
Size: 1491152 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150604/7ba9fbac/attachment.pcap>

More information about the argus mailing list