On 21/11/2013 09:23, Peter Haag wrote:
Hi Brian, It looks to me, as you did not enable nsel at compile time. You need to run at least ./configure --enable-nsel and make, make install
Ah yes, you're quite right. I had only done ./configure --enable-nfprofile --enable-nftrack and didn't realise you had to --enable-nsel as well.
Rebuilt now, running with -Tnsel.
It is. I get zeros for X-Src IP Addr:Port and X-Dest IP Addr (although strangely not X-Dest Port: I think this is a bug, see below)Your already collected data should still be readable after nsel enabled.
Date first seen Event XEvent Proto Src IP Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port In Byte Out Byte 2013-11-21 09:24:59.903 IGNORE Ignore UDP 192.168.3.121:40528 -> 8.8.8.8:53 0.0.0.0:0 -> 0.0.0.0:53 28 0
Corresponding output with -o raw: Flow Record: Flags = 0x06 FLOW, Unsampled export sysid = 1 size = 56 first = 1385025899 [2013-11-21 09:24:59] last = 1385025899 [2013-11-21 09:24:59] msec_first = 903 msec_last = 903 src addr = 192.168.3.121 dst addr = 8.8.8.8 src port = 40528 dst port = 53 fwd status = 0 tcp flags = 0x00 ...... proto = 17 UDP (src)tos = 0 (in)packets = 0 (in)bytes = 28 input = 14 output = 2 For the new records, I get:Date first seen Event XEvent Proto Src IP Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port In Byte Out Byte 2013-11-21 09:30:56.052 DELETE 2027 TCP 192.168.3.123:58914 -> YY.YYY.YY.100:80 XXX.XX.XX.4:58914 -> YY.YYY.YY.100:80 137 309
which looks much better. Looking for a case of inbound destination port mapping:2013-11-21 09:38:24.519 CREATE Ignore TCP YY.YY.YY.166:64325 -> XXX.XX.XX.8:2222 YY.YY.YY.166:64325 -> 192.168.5.110:2222 0 0
This is wrong. The translated destination port should be 22 but it is showing the untranslated port.
Here is the -o raw record: Flow Record: Flags = 0x46 EVENT, Unsampled export sysid = 1 size = 132 first = 1385026704 [2013-11-21 09:38:24] last = 1385026704 [2013-11-21 09:38:24] msec_first = 519 msec_last = 519 src addr = 84.92.42.166 dst addr = 185.14.85.8 src port = 64325 dst port = 2222 fwd status = 0 tcp flags = 0x00 ...... proto = 6 TCP (src)tos = 0 (in)packets = 0 (in)bytes = 0 connect ID = 11316151 fw event = 1: CREATE fw ext event = 0 flow start = 1385026694490 [2013-11-21 09:38:14.490] src asa port = 64325 dst asa port = 22 src asa ip = 84.92.42.166 dst asa ip = 192.168.5.110 Ingress ACL = 0x266a12c4/0x2669d584/0xd78b0ca Egress ACL = 0x0/0x0/0x0 User name = <empty>So the correct data has been captured ("dst asa port"), it just isn't shown by nfdump in its normal output. The attached patch seems to do the job.
Hope, this helps
It certainly does! Thanks, Brian.
nf_common.patch.gz
Description: application/gzip
------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
