[Nfsen-discuss] Feature to search through a port block for Carrier Grade Nat

Sun, 18 May 2014 23:58:16 -0700 

Hello,

We are currently experimenting with accounting for CGN and wish to be able
to quickly identify which customer had a specific "public" IP and "public"
port.

We are collecting data with NSEL and NEL attributes, but it seems there
isn't any way to search all records that have allocated a portblock that
contains port x (through nfdump).

For instance, let's assume that our customer is allocated ip 8.8.8.132 and
uses port 10249 as a source port. I would like to be able to filter by xip
8.8.8.132 (which I currently can do) and by port 10249 > pblock start and
port 10249 < pblock start + pblock size (I noticed that pblock end is 0 in
our captures). (So list all records that have that port inside the port
range).

I realize this might be harder to implement (since it has to do additions
of two different fields), but I wanted to ask the following:

1. Is this filtering something that's planned for the future? Or, at least,
adding the option to filter by pblock start?
2. Is it something that you thinks is "doable" and I could do (my C skills
are rusty, but in need of a brush-up). Where should I start to look?

Here is how a record that I want filtered currently looks like:

I am using nfdump: Version: NSEL-NEL1.6.12 $Date: 2014-04-02 20:08:48 +0200
(Wed, 02 Apr 2014) $

Here is a raw flow record:
Flow Record:
  Flags        =              0x46 EVENT, Unsampled
  export sysid =                 1
  size         =               104
  first        =        1399277842 [2014-05-05 11:17:22]
  last         =        1399277842 [2014-05-05 11:17:22]
  msec_first   =               127
  msec_last    =               127
  src addr     =         10.1.6.83
  dst addr     =           0.0.0.0
  src port     =                 0
  dst port     =                 0
  fwd status   =                 0
  tcp flags    =              0x00 ......
  proto        =                 6 TCP
  (src)tos     =                 0
  (in)packets  =                 0
  (in)bytes    =                 0
  connect ID   =                 0
  fw event     =                 1: CREATE
  fw ext event =                 0
  Event time   =     1399277842127 [2014-05-05 11:17:22.127]
  src xlt ip   =         8.8.8.132
  dst xlt ip   =           0.0.0.0
  nat event    =                 1: ADD
  ingress VRF  =                 3
  egress VRF   =                 0
  pblock start =             10240
  pblock end   =                 0
  pblock step  =                 1
  pblock size  =              1024

Regards,
Adrian

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to