Thanks Brian - it's fixed in nfdump-1.6.11 which will be released most likely
tomorrow. It will also support ASA 9.1 data.
- Peter
On 21/11/13 10:55 AM, Brian Candler wrote:
> On 21/11/2013 09:23, Peter Haag wrote:
>> Hi Brian,
>> It looks to me, as you did not enable nsel at compile time. You need to
>> run at least ./configure --enable-nsel and make, make install
> Ah yes, you're quite right. I had only done
> ./configure --enable-nfprofile --enable-nftrack
> and didn't realise you had to --enable-nsel as well.
>
> Rebuilt now, running with -Tnsel.
>>
>> Your already collected data should still be readable after nsel enabled.
> It is. I get zeros for X-Src IP Addr:Port and X-Dest IP Addr (although
> strangely not X-Dest Port: I think this is a bug,
> see below)
>
> Date first seen Event XEvent Proto Src IP Addr:Port
> Dst IP Addr:Port X-Src IP Addr:Port
> X-Dst IP Addr:Port In Byte Out Byte
> 2013-11-21 09:24:59.903 IGNORE Ignore UDP 192.168.3.121:40528 ->
> 8.8.8.8:53 0.0.0.0:0 ->
> 0.0.0.0:53 28 0
>
> Corresponding output with -o raw:
>
> Flow Record:
> Flags = 0x06 FLOW, Unsampled
> export sysid = 1
> size = 56
> first = 1385025899 [2013-11-21 09:24:59]
> last = 1385025899 [2013-11-21 09:24:59]
> msec_first = 903
> msec_last = 903
> src addr = 192.168.3.121
> dst addr = 8.8.8.8
> src port = 40528
> dst port = 53
> fwd status = 0
> tcp flags = 0x00 ......
> proto = 17 UDP
> (src)tos = 0
> (in)packets = 0
> (in)bytes = 28
> input = 14
> output = 2
>
> For the new records, I get:
>
> Date first seen Event XEvent Proto Src IP Addr:Port
> Dst IP Addr:Port X-Src IP Addr:Port
> X-Dst IP Addr:Port In Byte Out Byte
> 2013-11-21 09:30:56.052 DELETE 2027 TCP 192.168.3.123:58914 ->
> YY.YYY.YY.100:80 XXX.XX.XX.4:58914 ->
> YY.YYY.YY.100:80 137 309
>
> which looks much better.
>
> Looking for a case of inbound destination port mapping:
>
> 2013-11-21 09:38:24.519 CREATE Ignore TCP YY.YY.YY.166:64325 ->
> XXX.XX.XX.8:2222 YY.YY.YY.166:64325 ->
> 192.168.5.110:2222 0 0
>
> This is wrong. The translated destination port should be 22 but it is showing
> the untranslated port.
>
> Here is the -o raw record:
>
> Flow Record:
> Flags = 0x46 EVENT, Unsampled
> export sysid = 1
> size = 132
> first = 1385026704 [2013-11-21 09:38:24]
> last = 1385026704 [2013-11-21 09:38:24]
> msec_first = 519
> msec_last = 519
> src addr = 84.92.42.166
> dst addr = 185.14.85.8
> src port = 64325
> dst port = 2222
> fwd status = 0
> tcp flags = 0x00 ......
> proto = 6 TCP
> (src)tos = 0
> (in)packets = 0
> (in)bytes = 0
> connect ID = 11316151
> fw event = 1: CREATE
> fw ext event = 0
> flow start = 1385026694490 [2013-11-21 09:38:14.490]
> src asa port = 64325
> dst asa port = 22
> src asa ip = 84.92.42.166
> dst asa ip = 192.168.5.110
> Ingress ACL = 0x266a12c4/0x2669d584/0xd78b0ca
> Egress ACL = 0x0/0x0/0x0
> User name = <empty>
>
> So the correct data has been captured ("dst asa port"), it just isn't shown
> by nfdump in its normal output. The attached
> patch seems to do the job.
>> Hope, this helps
> It certainly does!
>
> Thanks,
>
> Brian.
>
>
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up now.
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
