Argus Development mailing list - Real Time Flow Monitor (RTFM) for comprehensive IP network traffic auditing

The Branches | 14 Aug 2012 19:29

'ether multicast' in BPF having no effect in ra

Hi Carter,

I am trying to filter out all non-unicast traffic from a set of argus records and can't seem to get it to recognize IPv6 mdns packets as Ethernet multicasts even though their target mac addresses are clearly so.

[root <at> nids ~]# ra -r /argus/today/dmz-08.arg - "src host fe80::226:bbff:fe07:af2f and port mdns and not ether multicast" -s +dmac -nn | head -n10
         StartTime      Flgs Proto            SrcAddr Sport   Dir            DstAddr Dport TotPkts   TotBytes State             DstMac
   08:01:16.629980 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        334     105199   INT 33:33:00:00:00:fb
   08:01:46.706751 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        307      82338   REQ 33:33:00:00:00:fb
   08:02:16.736570 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        298      61146   REQ 33:33:00:00:00:fb
   08:02:46.792462 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        302      66845   REQ 33:33:00:00:00:fb
   08:03:16.816442 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        299      61573   REQ 33:33:00:00:00:fb
   08:03:46.901358 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        298      60969   REQ 33:33:00:00:00:fb
   08:04:16.978279 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        298      60792   REQ 33:33:00:00:00:fb
   08:04:47.030784 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        298      60792   REQ 33:33:00:00:00:fb
   08:05:17.090194 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        298      60969   REQ 33:33:00:00:00:fb

According to RFC 5342:

All MAC-48 multicast identifiers prefixed "33-33" (that is, the 2**32 multicast MAC identifiers in the range from 33-33-00-00-00-00 to 33-33-FF-FF-FF-FF) are used by the IETF for global IPv6 multicast

I used the "not ether multicast" clause in the BPF because in 'man ra' it says
By specifing ether multicast, you can select argus records that involve an ethernet multicast address.
It seems that something is broken though because whether I put 'ether multicast' or 'not ether multicast' into the BPF, the results are the same.
In fact, it appears that 'ether multicast' is not working at all for me as I can grab an arbitrary file of argus records and filter it solely with a BPF of "ether multicast" and see lots of obviously unicast traffic in the results.

I am running argus 3.0.6.1 and ra-client 3.0.6.2. Do you think this might be a bug?

In the mean time, is there any way I can use the "33:33" ethernet prefix as criteria in my BPF? Perhaps "ether net 33:33/16" or "oui 33:33:00" or "ether host 33:33:*"? I tried a variety of things and always got a filter syntax error when trying to filter on anything but a full Ethernet address.

Thanks,
Kevin

headers

Carter Bullard | 14 Aug 2012 20:32

Re: 'ether multicast' in BPF having no effect in ra

Hey Kevin,

I am not in a position to look at the code until tonight, but there should be support for this. If you want to take a look yourself, there should be a multicast routine in ./common/argus_code.c that will look at the 'proto' parameter to decide what kind of multicast to match. From there you can back trace to see why " ip multicast " does something different from " ether multicast ". It is also possible that just the term " multicast " will get you what you want ?

The fact that it didn't complain with " not ether multicast " suggests that the parser and compiler are fine, but some thing is missing in the matching.

What do you get with the -b option and the filter " not ether multicast " ?

Just as a reminder, the client filters are not BPF, but they are close, so the offset syntax won't work.

Carter

Carter Bullard, QoSient, LLC

150 E. 57th Street Suite 12D

New York, New York 10022

+1 212 588-9133 Phone

+1 212 588-9134 Fax

On Aug 14, 2012, at 10:29 AM, The Branches <branchbunch <at> gmail.com> wrote:

Hi Carter,

I am trying to filter out all non-unicast traffic from a set of argus records and can't seem to get it to recognize IPv6 mdns packets as Ethernet multicasts even though their target mac addresses are clearly so.

[root <at> nids ~]# ra -r /argus/today/dmz-08.arg - "src host fe80::226:bbff:fe07:af2f and port mdns and not ether multicast" -s +dmac -nn | head -n10
         StartTime      Flgs Proto            SrcAddr Sport   Dir            DstAddr Dport TotPkts   TotBytes State             DstMac
   08:01:16.629980 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        334     105199   INT 33:33:00:00:00:fb
   08:01:46.706751 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        307      82338   REQ 33:33:00:00:00:fb
   08:02:16.736570 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        298      61146   REQ 33:33:00:00:00:fb
   08:02:46.792462 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        302      66845   REQ 33:33:00:00:00:fb
   08:03:16.816442 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        299      61573   REQ 33:33:00:00:00:fb
   08:03:46.901358 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        298      60969   REQ 33:33:00:00:00:fb
   08:04:16.978279 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        298      60792   REQ 33:33:00:00:00:fb
   08:04:47.030784 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        298      60792   REQ 33:33:00:00:00:fb
   08:05:17.090194 e            17 fe80::226:bbff:fe*.5353      ->           ff02::fb.5353        298      60969   REQ 33:33:00:00:00:fb

According to RFC 5342:
All MAC-48 multicast identifiers prefixed "33-33" (that is, the 2**32 multicast MAC identifiers in the range from 33-33-00-00-00-00 to 33-33-FF-FF-FF-FF) are used by the IETF for global IPv6 multicast

I used the "not ether multicast" clause in the BPF because in 'man ra' it says
    By specifing ether multicast, you can select argus records that involve an ethernet multicast address.
It seems that something is broken though because whether I put 'ether multicast' or 'not ether multicast' into the BPF, the results are the same.
In fact, it appears that 'ether multicast' is not working at all for me as I can grab an arbitrary file of argus records and filter it solely with a BPF of "ether multicast" and see lots of obviously unicast traffic in the results.

I am running argus 3.0.6.1 and ra-client 3.0.6.2. Do you think this might be a bug?

In the mean time, is there any way I can use the "33:33" ethernet prefix as criteria in my BPF? Perhaps "ether net 33:33/16" or "oui 33:33:00" or "ether host 33:33:*"? I tried a variety of things and always got a filter syntax error when trying to filter on anything but a full Ethernet address.

Thanks,
Kevin