wrong source ip addr on aggregation
Frank
argus-mailinglist-1524134246 at f-block.org
Thu Jun 28 08:41:30 EDT 2018
hi,
i encountered the following issue, resulting in a wrong source ipv6 address:
there are several connections to the same ipv6 address, coming from two
different source addresses, which however share the same /48 bits:
11:57:23.766559 e tcp 1111:22:3333:4444::15.21978 ->
caffe:affe::1.https 48 16800 FIN
12:03:26.631506 e tcp 1111:22:3333:4444::15.52620 ->
caffe:affe::1.smtp 47 22007 FIN
12:03:26.631451 e tcp 1111:22:3333:4444::15.52620 ->
caffe:affe::1.smtp 47 22007 FIN
12:05:08.037777 e tcp 1111:22:3333:4444::15.51150 ->
caffe:affe::1.http 11 1844 FIN
12:05:08.041924 e ipv6-icmp 1111:22:3333:4444::15.0x0080 <->
caffe:affe::1.0x0000 2 178 ECO
12:05:08.037777 e tcp 1111:22:3333:5555::15.51150 ->
caffe:affe::1.http 11 1844 FIN
now, with racluster, i get this:
racluster -r /tmp/ipv6traffic -m daddr
08:01:18.051607 e ip 1111:22:1111:22:: <->
caffe:affe::1 12119 5900614 CON
with a wrong source net.
there is only one icmp connection in /tmp/ipv6traffic (shown above), and
when i strip it, suddenly the output changes to this:
racluster -r /tmp/ipv6traffic_stripped -m daddr
08:01:18.051607 e * tcp 1111:22:: ->
caffe:affe::1 12117 5900436 FIN
with a (more) correct stripped source address.
btw. is there a way to influence the "ip-stripping" process on
aggregation? e.g. in the last case, i would have expected this source
address: 1111:22:3333::
and/or is it possible to somehow indicate on output, if and how many
bits of the source (or destination) address have been stripped?
thanks
frank
More information about the argus
mailing list