headers
Tim Lavoie | 3 Jan 2006 00:27
Favicon

"man" protocol?


Hi all,

I've just started looking at Argus in earnest, so I'm new, but
generally familiar with other networking tools.

Most of the traffic that I've looked at so far seems pretty normal, at
least in that I understand what it is, and the reporting of it from
tools like "ra". Some of it appears to highlight some gaps in what I know.

The ones which are strangest are those like the following. I'm fine
with tcp, udp, arp etc., but haven't found what the "man" protocol
means. Naturally, googling gives me countless links to man pages. In
any case, the format of these is slightly different from the rest, and
all apparently from a single IP (6000+ records, from December 12 to
present).

12-12-05 15:26:52.669222           man               229.97.122.203  v2.0                                     1 0          0        0         0            0           STA
12-12-05 15:26:52.670329           man               229.97.122.203  v2.0                                    16 7          233      0         49530        4           CON
12-12-05 15:31:52.183189           man               229.97.122.203  v2.0                                    36 6          65       0         4419         5           CON
12-12-05 15:36:52.035605           man               229.97.122.203  v2.0                                    53 5          60       0         3772         1           CON

Any ideas?

    Thanks,
    Tim
Permalink | Reply | 2 comments |
headers
Peter Van Epp | 3 Jan 2006 01:21
Picon
Picon
Favicon

Re: "man" protocol?

On Mon, Jan 02, 2006 at 05:27:48PM -0600, Tim Lavoie wrote:
> 
> Hi all,
> 
> I've just started looking at Argus in earnest, so I'm new, but
> generally familiar with other networking tools.
> 
> Most of the traffic that I've looked at so far seems pretty normal, at
> least in that I understand what it is, and the reporting of it from
> tools like "ra". Some of it appears to highlight some gaps in what I know.
> 
> The ones which are strangest are those like the following. I'm fine
> with tcp, udp, arp etc., but haven't found what the "man" protocol
> means. Naturally, googling gives me countless links to man pages. In
> any case, the format of these is slightly different from the rest, and
> all apparently from a single IP (6000+ records, from December 12 to
> present).
> 
> 12-12-05 15:26:52.669222           man               229.97.122.203  v2.0                                     1 0          0        0         0            0           STA
> 12-12-05 15:26:52.670329           man               229.97.122.203  v2.0                                    16 7          233      0         49530        4           CON
> 12-12-05 15:31:52.183189           man               229.97.122.203  v2.0                                    36 6          65       0         4419         5           CON
> 12-12-05 15:36:52.035605           man               229.97.122.203  v2.0                                    53 5          60       0         3772         1           CON
> 
> Any ideas?
> 
>     Thanks,
>     Tim

	Yep, management records about the argus process. Luckily last I had
to figure it out I dumped the fields from the source (I was fixing some
(Continue reading)

Permalink | Reply | 1 comment |
headers
Richard Bejtlich | 3 Jan 2006 03:11
Picon

Reading Argus records on FreeBSD i386 or amd64

Hello,

Issue 1:

Should data generated from Argus reading a Libpcap trace on FreeBSD
amd64 be readable using the ra client on FreeBSD i386?

(I would hope so?)

On each platform, the ra client can read records generated on that platform.

Issue 2:

On FreeBSD amd64 (sensor01) I get 0 records when passing a filter on
Argus data generated on that platform.

sensor01$ ra -nn -r trace.lpc.ip.1800-2000.argus.ragator - net 10 | head -n 3
[nothing]

On FreeBSD i386 (janney) I get records as expected when passing a
filter on Argus data generated on that platform.

janney$ ra -nn -r trace.lpc.ip.1800-2000.argus - net 10 | head -n 3
27 Dec 05 18:00:25           tcp    192.168.1.38.2765  <?>    
10.100.5.22.1720  1        1         54           54          TIM
27 Dec 05 18:00:33           tcp     192.168.1.5.445   <?>      
10.0.0.41.1094  1        1         55           54          TIM
27 Dec 05 18:00:01          igrp      10.100.5.1        ->     
224.0.0.10       14       0         1036         0           CON
(Continue reading)

Permalink | Reply | 2 comments |
headers
Richard Johnson | 3 Jan 2006 04:09

Re: Reading Argus records on FreeBSD i386 or amd64

At 21:11 -0500 on 2006-01-02, Richard Bejtlich wrote:
> Hello,
>
> Issue 1:
>
> Should data generated from Argus reading a Libpcap trace on FreeBSD
> amd64 be readable using the ra client on FreeBSD i386?

They should, but as a practical matter they likely won't be.  Argus is not
yet 64bit clean.

> On each platform, the ra client can read records generated on that platform.
> ...
> On FreeBSD amd64 (sensor01) I get 0 records when passing a filter on
> Argus data generated on that platform.

That matches fairly well with my experience.  Attempting to send records to
an amd64 system, whether from an amd64 system or an i386 system, didn't
work.

I've switched back to using high-end i386 systems, as I was fairly sure
that we wouldn't get anything useful to (or from) an amd64 box without some
significant code tweaks.

Richard
Permalink | Reply | 0 comments |
headers
Mike Iglesias | 3 Jan 2006 04:47
Picon

Re: Reading Argus records on FreeBSD i386 or amd64

> Hello,
> 
> Issue 1:
> 
> Should data generated from Argus reading a Libpcap trace on FreeBSD
> amd64 be readable using the ra client on FreeBSD i386?
> 
> (I would hope so?)

You would, but it's not 64-bit clean yet.

Try using the i386 binaries on the amd64 system, or if FreeBSD can do
it, compile in 32 bit mode on the amd64 system.  I use Fedora for my
argus system, and use a copy of argus compiled on a i386 system so I can
read the files on other systems if necessary.

Mike Iglesias                          Email:       iglesias <at> uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069
Permalink | Reply | 0 comments |
headers
Tim Lavoie | 3 Jan 2006 07:06
Favicon

Re: "man" protocol?

On Mon, Jan 02, 2006 at 04:21:16PM -0800, Peter Van Epp wrote:

> 	Yep, management records about the argus process. Luckily last I had
> to figure it out I dumped the fields from the source (I was fixing some 
> formatting problems at the time) because as far as I know they aren't 
> documented except in the source:
> 
> 
> startime: mar.start 
> lasttime: mar.now 
> proto: man 
> saddr: argusid 
> sport: version# 
> daddr: nextseq# 
> dport: #flows 
> spkts: RcvdPackets 
> dpkts: droppedpackets 
> sbytes: rcvdbytes 
> dbytes: flows_closed 
> status: man_status 
> 
> 	The first line is fairly obvious (looks like you too don't have an IP
> assigned to the interface so the sensor IP is whatever happens to be there).
> The next line of numbers starts with the # of flows, then packets received,
> packets dropped (by pcap, there are other sources of drop as well), bytes
> received, number of flows closed and status (which I think is always con)

Hi Peter,

Thanks for the info. That does help, though it does lead to a bit of a
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim Lavoie | 3 Jan 2006 17:12
Favicon

Re: "man" protocol?

Just to update...

Mike Slifcak pointed out that I could set the ARGUS_MONITOR_ID flag
directly, instead of the `hostname` version which is the default. It
turns out that the ARGUS_MONITOR_ID flag didn't exist, or rather, it
was called ARGUS_MONITOR_DATA instead. On the system at work, the
config file used the _ID form, and worked appropriately. I will likely
file a Debian bug report to this effect, though the `hostname` form
may work if the variable is named correctly.  :)

	    Cheers,
	    Tim
Permalink | Reply | 501 comments |
headers
eric | 3 Jan 2006 23:06

Re: "man" protocol?

On Tue, 2006-01-03 at 10:12:58 -0600, Tim Lavoie proclaimed...

> Mike Slifcak pointed out that I could set the ARGUS_MONITOR_ID flag
> directly, instead of the `hostname` version which is the default. It
> turns out that the ARGUS_MONITOR_ID flag didn't exist, or rather, it
> was called ARGUS_MONITOR_DATA instead. On the system at work, the
> config file used the _ID form, and worked appropriately. I will likely
> file a Debian bug report to this effect, though the `hostname` form
> may work if the variable is named correctly.  :)

It's a problem in the source code and has been a problem for a while.

Carter, I don't suppose you can put up a new .fixes for this?

Thanks.
Permalink | Reply | 501 comments |
headers
Patrick Green | 9 Jan 2006 12:59
Picon
Picon
Favicon

Argus and MTP

Hi,

Has anyone had any experience of running Argus on top of Metanetworks  
MTP cards?

We have been running some tests, on Fedora (customised kernel 2.6.11)  
with Argus Version 2.0.6, and an MTP card (www.metanetworks.org).

If we run an nmap against a machine on the network, I can see the  
traffic using TCPdump (so the card is picking it up and forwarding it  
to the OS), but argus doesnt seem to pick the traffic up - at best it  
sees about four packets ... has anyone else seen this / something  
obvious I should try?

Patrick
------------------------------------------------------------------------ 
--
Patrick Green -  Computing Services, Oxford University
http://users.ox.ac.uk/~patrick
Mobile: +44 (0)7812215375
PGP keyID 0x34E49221
Permalink | Reply | 3 comments |
headers
poncenby smythe | 10 Jan 2006 00:11

Listening on tun interface...

List,

I am running openbsd 3.8 GENERIC and using argus-2.0.6.
I am using a THOMSON Speed Touch 330, rev 1.10/4.00 ADSL modem with  
an interface of tun0.
When trying to execute argus on this interface with the command ./ 
argus -i tun0 it just exits immediately.
I haven't compiled it with debugging enabled so I cannot tell what is  
happening any further (by the way how would you do this?).

When i run tcpdump on it says the link type is LOOP, any significance?

Thanks for your time

poncenby
Permalink | Reply | 2 comments |

Gmane