-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Bob,
Bob Franklin wrote:
> Hello,
>
> [Excuse the new member and if this has already been covered.]
>
> I can't find any support for NetFlow v9 fields related to NAT - namely:
>
> 40001 XLATE_SRC_ADDR_IPV4
> 40002 XLATE_DST_ADDR_IPV4
> 40003 XLATE_SRC_PORT
> 40004 XLATE_DST_PORT
> 40005 FW_EVENT (created/deleted/denied)
>
> We have a Cisco ASA5580 running software version 8.2 which is capable of
> logging these (I believe - Wireshark seems to not have any truck with
> analysing the packets, so I'm having difficulty confirming the data is in
> there; nfdump is certainly capturing and logging everything except these
> extra fields).
>
> Can I confirm there is no support for this and, if not, are there any
> plans to do so?
So far up to and including nfdump-1.6.1, there is no support for ASA. There is
a special version on SF for nfdump-1.5.7-nsel, with patches from Cisco.
ASA support will get integrated as next on the nfdump todo list.
>
> I'm happy trying to do so and submitting diffs, but I haven't investigated
> the source code closely for nfcapd, nfdump, etc. although I can see that
> the majority of fields use low ID numbers and these are much higher (and
> there's an array to handle parsing the fields); is adding support likely
> to be difficult?
There are some changes required, but it's not that difficult.
Stay tuned.
- Peter
>
> Thanks for any help in advance,
>
> - Bob
>
>
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: peter.h...@switch.ch Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBS4J0Kv5AbZRALNr/AQLh9QP/cuGfcJuSviNjdz5koVsHOYkAJn/r7Gtw
hMcH10PcXWdAD1ySeZvjpVMmnkmtVEugLV6TV+Dv1+jTBHqDA6RweI2LdGb/kH6c
6bCfsa6XnlONXZe/fxkR8HH9Hh8F2H2uQpdqqZ3EOr7X1NG1Vw/UMrv7Ca7613rG
PgteqEM5bmA=
=HAml
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
