[Bro-Dev] IPv6 with Bro
Seth Hall
seth at icir.org
Sun Feb 19 19:51:43 PST 2012
I was looking through logs looking for evidence of IPv6 traffic and I found a host that appears to have run traceroute6 against the network so I thought I'd show an example of how traceroutes look over IPv6 in the Bro conn.log…
#ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
#time string addr port addr port enum string interval count count string bool count string count count count count
1329660378.154848 Jfusxx0UPU 2001:470:9:babe::3 37990 <removed> 33460 udp - - - - S0 F 0 D 1 80 0 0
1329660378.158040 brhRmsVxFb9 2001:470:9:babe::3 57120 <removed> 33463 udp - - - - S0 F 0 D 1 80 0 0
1329660378.172236 YMi0UUbrhie 2001:470:9:babe::3 44529 <removed> 33468 udp - - - - S0 F 0 D 1 80 0 0
1329660378.157556 4FdCveTHPR1 2001:470:9:babe::3 51427 <removed> 33462 udp - - - - S0 F 0 D 1 80 0 0
1329660378.172791 iwezQsY3bK8 2001:470:9:babe::3 39695 <removed> 33467 udp - - - - S0 F 0 D 1 80 0 0
1329660378.174321 OQdvzk0kKy8 2001:470:9:babe::3 51260 <removed> 33469 udp - - - - S0 F 0 D 1 80 0 0
1329660378.155912 yqa4zrwi3x 2001:470:9:babe::3 39514 <removed> 33461 udp - - - - S0 F 0 D 1 80 0 0
1329660378.152268 4yVVIrTprM3 2001:470:9:babe::3 45626 <removed> 33458 udp - - - - S0 F 0 D 1 80 0 0
1329660378.154758 iMSZfgKHYbk 2001:470:9:babe::3 35970 <removed> 33459 udp - - - - S0 F 0 D 1 80 0 0
1329660378.169734 3hRVQFTFaKl 2001:470:9:babe::3 58529 <removed> 33464 udp - - - - S0 F 0 D 1 80 0 0
1329660378.170493 pDVhGxwtIX8 2001:470:9:babe::3 43646 <removed> 33465 udp - - - - S0 F 0 D 1 80 0 0
1329660378.171148 lGOET1T2DZa 2001:470:9:babe::3 53249 <removed> 33466 udp - - - - S0 F 0 D 1 80 0 0
1329660453.213549 groeGNpiJoe 2001:470:9:babe::3 42299 <removed> 33476 udp - - - - S0 F 0 D 1 80 0 0
1329660453.212178 laZDPNSTdc8 2001:470:9:babe::3 37647 <removed> 33471 udp - - - - S0 F 0 D 1 80 0 0
1329660453.216245 XYBwZnFA7u7 2001:470:9:babe::3 39810 <removed> 33480 udp - - - - S0 F 0 D 1 80 0 0
1329660453.215838 gFNZL587Byi 2001:470:9:babe::3 42812 <removed> 33481 udp - - - - S0 F 0 D 1 80 0 0
1329660453.217636 VW7azawZ3jg 2001:470:9:babe::3 56608 <removed> 33485 udp - - - - S0 F 0 D 1 80 0 0
1329660453.217262 nMEvDi845rf 2001:470:9:babe::3 34063 <removed> 33484 udp - - - - S0 F 0 D 1 80 0 0
1329660453.213996 c7BGJ9pcyqe 2001:470:9:babe::3 36350 <removed> 33477 udp - - - - S0 F 0 D 1 80 0 0
1329660453.214985 EWUPH0p7Chk 2001:470:9:babe::3 49498 <removed> 33479 udp - - - - S0 F 0 D 1 80 0 0
1329660453.213572 MtY4WlA0glb 2001:470:9:babe::3 56689 <removed> 33473 udp - - - - S0 F 0 D 1 80 0 0
1329660453.218169 MoXEoERSMt1 2001:470:9:babe::3 33510 <removed> 33483 udp - - - - S0 F 0 D 1 80 0 0
1329660453.213684 8B71hDNHG09 2001:470:9:babe::3 46544 <removed> 33475 udp - - - - S0 F 0 D 1 80 0 0
1329660453.213145 HbnJHMRmCCi 2001:470:9:babe::3 52538 <removed> 33472 udp - - - - S0 F 0 D 1 80 0 0
1329660453.217201 Dnu86Fujgrd 2001:470:9:babe::3 37475 <removed> 33482 udp - - - - S0 F 0 D 1 80 0 0
1329660453.210887 wIRlKplOj28 2001:470:9:babe::3 41090 <removed> 33470 udp - - - - S0 F 0 D 1 80 0 0
1329660453.214113 9ElDnNEyE5c 2001:470:9:babe::3 56094 <removed> 33474 udp - - - - S0 F 0 D 1 80 0 0
1329660453.215381 D6jSe4y1E0h 2001:470:9:babe::3 39121 <removed> 33478 udp - - - - S0 F 0 D 1 80 0 0
1329660528.253395 OJtSePR8BU2 2001:470:9:babe::3 33845 <removed> 33492 udp - - - - S0 F 0 D 1 80 0 0
1329660528.251139 njFLGFwddG 2001:470:9:babe::3 44546 <removed> 33487 udp - - - - S0 F 0 D 1 80 0 0
1329660528.253073 0k8dJwiYv0b 2001:470:9:babe::3 52688 <removed> 33490 udp - - - - S0 F 0 D 1 80 0 0
1329660528.251681 TYP32iKDjm3 2001:470:9:babe::3 35294 <removed> 33489 udp - - - - S0 F 0 D 1 80 0 0
1329660528.251192 342AxR3jVee 2001:470:9:babe::3 40207 <removed> 33488 udp - - - - S0 F 0 D 1 80 0 0
1329660528.252991 3o6WUxcV6qj 2001:470:9:babe::3 53110 <removed> 33493 udp - - - - S0 F 0 D 1 80 0 0
1329660528.253406 G2tidXRpZob 2001:470:9:babe::3 60440 <removed> 33491 udp - - - - S0 F 0 D 1 80 0 0
1329660528.249881 OLqgFalrBAg 2001:470:9:babe::3 60518 <removed> 33486 udp - - - - S0 F 0 D 1 80 0 0
More information about the bro-dev
mailing list