Missing sport / dport for Argus 3.0.8

Kjell Tore Fossbakk via Argus-info argus-info at lists.andrew.cmu.edu
Mon Apr 4 15:57:37 EDT 2016


Hello Carter.

Thank you for a quick response.

The bug we experience are for IPv4 flows.

To specify our observations. The Argus running 3.0.8 does not produce _any_
CSV flows with sport equal to 0x0000 (for ICMP) or 0 (for TCP/UDP). They
are all empty. The problem we are experiencing seems to be very stable and
deterministic. At the moment we are "fixing" the problem by forcing 0x0000
if ICMP or 0 if TCP/UDP if the length of sport or dport is less than one.
However, we dont like running Argus like this when it should behave
differently.

We will bring another sensor online on the same TAP with 3.0.8.1 of both
Argus and the Argus-clients, and correlate our findings with both the
3.0.6.1 and 3.0.8.

Do you recon this has anything to do with libpcap (reporting differently,
and Argus wrong answers which could lead to empty fields), or would it be
reasonable to seek the truth inside Argus only?

I will report back when we have anything to share.

.Kjell Tore





On Mon, Apr 4, 2016 at 4:21 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Kjell,
> argus-3.0.8.1, which is the official version, has fixes for ICMP, but the
> more recent developers version has specific bug fixes for ICMPv6 that you
> should be of interest to you.
>
> http://qosient.com/argus/dev/argus-latest.tar.gz
> http://qosient.com/argus/dev/argus-clients-latest.tar.gz
>
> These versions have been really stable and you should consider them to be
> the current versions at this point.
>
> The source port should represent the ICMP type value, and the destination
> port should represent the ICMP code value.  At least that is the intended
> behavior of the tools.
>
> Carter
>
> > On Apr 4, 2016, at 9:10 AM, Kjell Tore Fossbakk via Argus-info <
> argus-info at lists.andrew.cmu.edu> wrote:
> >
> > Hello.
> >
> > Im running Argus Version 3.0.8 (same with clients) with libpcap 1.5.3.
> > Previously we ran Argus Version 3.0.6.1 with libpcap 1.1.1.
> >
> > We use ra with DELIMITERS "," and a list of fields, such as sport and
> dport. If we have an ICMP with sport=0, or TCP/UDP with sport=0/dport=0 and
> run this through both these Argus versiosn we get the following behavior;
> >
> > Using Argus 3.0.6.1 with libpcap 1.1.1 we get 0x0000 as sport for ICMP.
> > Using Argus 3.0.6.1 with libpcap 1.1.1 we get 0 as sport / dport for
> TCP/UDP.
> > For 3.0.0.6.1 we would seem to get sport 0 as icmp type=0, and sport 8
> as icmp type=8.
> >
> > When Now, when we use the newest version;
> > Using Argus 3.0.8 with libpcap 1.5.3 we get <empty data> as sport for
> ICMP where we got 0x0000 for 3.0.6.1
> > Using Argus 3.0.8 with libpcap 1.5.3 we get <empty data> as sport/dport
> for TCP/UDP where we got sport/dport 0 for 3.0.6.1
> >
> > By <empty data> we mean there is nothing between the delimited on the
> output.
> >
> > I'v tried to read ChangeLogs, CHANGES etc in argus, argus-clients,
> libpcap. Also did a little "grepping" without much success.
> >
> > So, something must have changed. Question is was the change in Argus or
> libpcap? Was it deliberate, or is this a bug?
> >
> > Kjell Tore
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160404/8f6c1bcf/attachment.html>


More information about the argus mailing list