[ARGUS] Argus output flows with swapped src/dst IPs and src/dst ports
Hang Guo
hangguo at usc.edu
Fri Nov 29 14:42:58 EST 2019
Hi,
I found argus (Version 3.0.8.2), when fed in some pcaps with tcp packets,
could output flows with swapped src/dst IPs and src/dst ports. I attach an
example 2-packet pcap (packet IPs and MAC anonymized, payload cropped) that
could trigger this behavior.
Specifically, when I do
> argus -r test_anon.pcap -w - | ra -c "," -r - -s stime ltime saddr daddr
> sport dport proto spkts -nn
The output is
>
> StartTime,LastTime,SrcAddr,DstAddr,Sport,Dport,Proto,SrcPkts
> 1562286513.155328,1562286513.155328,82.26.219.252,175.16.10.94,4104,443,6,0
> 1575055898.822475,1575055897.816590,0,32,0,1,man,0
While test_anon.pcap shows two tcp packets from 175.16.10.94 to
82.26.219.25, argus output shows a tcp flow from 82.26.219.252 to
175.16.10.94 with 0 packets (since SrcPkt=0). And the src and dst ports in
argus output are also swapped. I wonder what goes wrong in this case?
Thanks and happy thanksgiving!
-Hang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20191129/bb48f800/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_anon.pcap
Type: application/vnd.tcpdump.pcap
Size: 176 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20191129/bb48f800/attachment.pcap>
More information about the argus
mailing list