wrong source ip addr on aggregation
Carter Bullard
carter at qosient.com
Thu Jun 28 16:30:05 EDT 2018
Hey Frank,
On further testing, I have been able to replicate your xxxx.yyyy.xxxx.yyyy address error.
I’ll look into this further.
Carter
> On Jun 28, 2018, at 4:22 PM, Carter Bullard <carter at qosient.com> wrote:
>
> Hey Frank,
> In my tests with some of your data, I’m not seeing racluster.1 generating errant data, but, it could be preserving more bits. With your data, it looks like racluster.1 is preserving the leading 32 bits, but it should be preserving the leading 56 bits. Looks that the code wants to preserve in 32-bit chunks, so its 32-bit preserving :O)
>
> I get this result for the aggregation of the source address - xxxx:yyyy::/32
> it could be xxxx.yyyy.zzzz.ww::/56 … is this what you expect ???
>
> Carter
>
>> On Jun 28, 2018, at 9:04 AM, Carter Bullard <carter at qosient.com> wrote:
>>
>> Hey Frank,
>> Can you send a data file that replicates the problem ??? It does seem to be a bug.
>> Argus aggreagation of IP addresses uses a ‘longest prefix match’ algorithm, and printing them as cidr addresses should show what bits are left over. That is an option in the .rarc file.
>>
>> Carter
>>
>>> On Jun 28, 2018, at 8:41 AM, Frank <argus-mailinglist-1524134246 at f-block.org> wrote:
>>>
>>> hi,
>>>
>>> i encountered the following issue, resulting in a wrong source ipv6 address:
>>>
>>> there are several connections to the same ipv6 address, coming from two
>>> different source addresses, which however share the same /48 bits:
>>>
>>> 11:57:23.766559 e tcp 1111:22:3333:4444::15.21978 ->
>>> caffe:affe::1.https 48 16800 FIN
>>> 12:03:26.631506 e tcp 1111:22:3333:4444::15.52620 ->
>>> caffe:affe::1.smtp 47 22007 FIN
>>> 12:03:26.631451 e tcp 1111:22:3333:4444::15.52620 ->
>>> caffe:affe::1.smtp 47 22007 FIN
>>> 12:05:08.037777 e tcp 1111:22:3333:4444::15.51150 ->
>>> caffe:affe::1.http 11 1844 FIN
>>> 12:05:08.041924 e ipv6-icmp 1111:22:3333:4444::15.0x0080 <->
>>> caffe:affe::1.0x0000 2 178 ECO
>>> 12:05:08.037777 e tcp 1111:22:3333:5555::15.51150 ->
>>> caffe:affe::1.http 11 1844 FIN
>>>
>>> now, with racluster, i get this:
>>>
>>> racluster -r /tmp/ipv6traffic -m daddr
>>> 08:01:18.051607 e ip 1111:22:1111:22:: <->
>>> caffe:affe::1 12119 5900614 CON
>>>
>>> with a wrong source net.
>>>
>>>
>>> there is only one icmp connection in /tmp/ipv6traffic (shown above), and
>>> when i strip it, suddenly the output changes to this:
>>>
>>> racluster -r /tmp/ipv6traffic_stripped -m daddr
>>> 08:01:18.051607 e * tcp 1111:22:: ->
>>> caffe:affe::1 12117 5900436 FIN
>>>
>>> with a (more) correct stripped source address.
>>>
>>>
>>> btw. is there a way to influence the "ip-stripping" process on
>>> aggregation? e.g. in the last case, i would have expected this source
>>> address: 1111:22:3333::
>>>
>>> and/or is it possible to somehow indicate on output, if and how many
>>> bits of the source (or destination) address have been stripped?
>>>
>>> thanks
>>> frank
>>>
>>>
>>
>>
>
>
More information about the argus
mailing list