Missing sport / dport for Argus 3.0.8

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Mon Apr 4 10:21:10 EDT 2016


Hey Kjell,
argus-3.0.8.1, which is the official version, has fixes for ICMP, but the more recent developers version has specific bug fixes for ICMPv6 that you should be of interest to you.  

http://qosient.com/argus/dev/argus-latest.tar.gz
http://qosient.com/argus/dev/argus-clients-latest.tar.gz

These versions have been really stable and you should consider them to be the current versions at this point.

The source port should represent the ICMP type value, and the destination port should represent the ICMP code value.  At least that is the intended behavior of the tools.

Carter

> On Apr 4, 2016, at 9:10 AM, Kjell Tore Fossbakk via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hello.
> 
> Im running Argus Version 3.0.8 (same with clients) with libpcap 1.5.3.
> Previously we ran Argus Version 3.0.6.1 with libpcap 1.1.1.
> 
> We use ra with DELIMITERS "," and a list of fields, such as sport and dport. If we have an ICMP with sport=0, or TCP/UDP with sport=0/dport=0 and run this through both these Argus versiosn we get the following behavior;
> 
> Using Argus 3.0.6.1 with libpcap 1.1.1 we get 0x0000 as sport for ICMP.
> Using Argus 3.0.6.1 with libpcap 1.1.1 we get 0 as sport / dport for TCP/UDP.
> For 3.0.0.6.1 we would seem to get sport 0 as icmp type=0, and sport 8 as icmp type=8.
> 
> When Now, when we use the newest version;
> Using Argus 3.0.8 with libpcap 1.5.3 we get <empty data> as sport for ICMP where we got 0x0000 for 3.0.6.1
> Using Argus 3.0.8 with libpcap 1.5.3 we get <empty data> as sport/dport for TCP/UDP where we got sport/dport 0 for 3.0.6.1
> 
> By <empty data> we mean there is nothing between the delimited on the output.
> 
> I'v tried to read ChangeLogs, CHANGES etc in argus, argus-clients, libpcap. Also did a little "grepping" without much success. 
> 
> So, something must have changed. Question is was the change in Argus or libpcap? Was it deliberate, or is this a bug?
> 
> Kjell Tore




More information about the argus mailing list