Odd records issue
mike tancsa via Argus-info
argus-info at lists.andrew.cmu.edu
Tue Jan 10 11:02:55 EST 2017
While I was trying to track down an issue with some unaccounted packets,
I noticed that argus was creating a lot of records that dont make sense.
One one of my sensors, I changed the config so that I would record a
pcap. In theory, both files should show the same data, no ? Instead, I
have a LOT of addresses that are not in my network, and almost always
582 bytes.
% ra -nr argus.out -s saddr,sport,daddr,dport, bytes:4 ,pkts:2,proto:3 -
bytes 582 and pkts 1 | head -30
SrcAddr Sport DstAddr Dport TotB To Pro
66.14.58.118.4710 165.57.97.129.62304 582 1 udp
228.44.123.180.32215 130.71.80.142.169 582 1 udp
42.80.37.245.64417 217.93.18.80.13594 582 1 udp
42.80.37.245.64417 217.93.18.80.13594 582 1 udp
184.111.255.119.46797 220.83.180.38.46450 582 1 udp
208.20.172.166.10533 155.189.252.142.23409 582 1 udp
87.96.180.21.42185 156.23.175.50.42394 582 1 udp
135.215.238.69.41005 244.71.183.157.49514 582 1 udp
42.118.169.234.64017 24.169.111.198.5837 582 1 udp
62.150.25.153.2414 39.220.44.122.58128 582 1 udp
113.20.11.165.45467 200.106.11.169.57598 582 1 udp
172.180.78.96.51016 139.173.29.46.15019 582 1 udp
172.180.78.96.51016 139.173.29.46.15019 582 1 udp
44.122.117.130.20546 180.167.75.128.60420 582 1 udp
44.122.117.130.20546 180.167.75.128.60420 582 1 udp
235.102.137.81.59403 110.104.217.242.31414 582 1 udp
235.102.137.81.59403 110.104.217.242.31414 582 1 udp
52.15.123.178.12147 210.93.8.106.19146 582 1 udp
52.15.123.178.12147 210.93.8.106.19146 582 1 udp
68.195.206.107.19522 184.118.84.142.48695 582 1 udp
173.129.21.3.5450 252.255.127.111.49931 582 1 udp
173.129.21.3.5450 252.255.127.111.49931 582 1 udp
94.187.10.197.3147 162.181.187.17.16443 582 1 udp
208.189.73.229.33307 155.175.43.8.62169 582 1 udp
115.98.69.100.4716 84.194.54.90.31643 582 1 udp
181.61.176.121.25337 230.174.10.75.38614 582 1 udp
17.126.194.240.59882 67.78.7.236.64742 582 1 udp
68.209.4.147.38113 82.176.3.109.8904 582 1 udp
68.209.4.147.38113 82.176.3.109.8904 582 1 udp
But looking at the pcap file AND a tcpdump of the interface, I never see
any such packets.
% ls -l
total 3779656
drwxr-xr-x 2 root wheel - 512 Jan 10 10:03 .
drwxr-xr-x 3 root wheel - 3072 Jan 10 10:03 ..
-rw-r--r-- 1 root wheel - 207937088 Jan 10 10:57 argus.out
-rw-r--r-- 1 root wheel - 3661365248 Jan 10 10:57 packet.out
% tcpdump -nr packet.out greater 580 and less 583
reading from file packet.out, link-type EN10MB (Ethernet)
% tcpdump -ner packet.out host 68.209.4.147 or host 17.126.194.240 or
host 235.102.137.81
reading from file packet.out, link-type EN10MB (Ethernet)
Any idea whats going on ?
If I tcpdump the interface, it never sees any such traffic where as
argus implies there is a LOT
% ra -nr argus.out -s stime,saddr,daddr - bytes 582 and pkts 1 | head
StartTime SrcAddr DstAddr
10:03:46.217241 66.14.58.118 165.57.97.129
10:03:46.536733 228.44.123.180 130.71.80.142
10:03:47.724602 42.80.37.245 217.93.18.80
10:03:47.724589 42.80.37.245 217.93.18.80
10:03:49.187933 184.111.255.119 220.83.180.38
10:03:53.051873 208.20.172.166 155.189.252.142
10:03:57.551938 87.96.180.21 156.23.175.50
10:04:00.120709 135.215.238.69 244.71.183.157
10:04:02.452829 42.118.169.234 24.169.111.198
Ra Version 3.0.8.2
Argus Version 3.0.8.2
More information about the argus
mailing list