Capturing Netflow/IPFIX records from Cisco ASA running 8.4.7 firmware,
to nfdump 1.6.10p1.
When I look at outbound flows, I see the source (private) IP and the
destination (public IP). But when looking at inbound flows, the
destination address is the public IP, not the private IP to which it is
NAT'd.
Here's an example of an outbound flow as captured by tshark cflow decoder:
Flow 13
Flow Id: 2890366
SrcAddr: 192.168.3.121 (192.168.3.121)
SrcPort: 38853
InputInt: 14
DstAddr: 8.8.8.8 (8.8.8.8)
DstPort: 53
OutputInt: 2
Protocol: 17
IPv4 ICMP Type: 0
IPv4 ICMP Code: 0
Post NAT Source IPv4 Address: XXX.XX.XX.4 (XXX.XX.XX.4)
Post NAT Destination IPv4 Address: 8.8.8.8 (8.8.8.8)
Post NAPT Source Transport Port: 38853
Post NAPT Destination Transport Port: 53
Firewall Event: Flow deleted (2)
Extended firewall event code: Unknown (2016)
Observation Time Milliseconds: Nov 19, 2013
13:51:24.667000000 GMT
Initiator Octets: 41
Responder Octets: 108
Ingress ACL ID: 3824e131b0dc369a00000000
Egress ACL ID: 000000000000000000000000
AAA username:
StartTime: Nov 19, 2013 13:51:24.667000000 GMT
which nfdump reports as:
Date first seen Duration Proto Src IP Addr:Port
Dst IP Addr:Port Packets Bytes Flows
2013-11-19 13:51:24.667 0.000 UDP 192.168.3.121:38853 ->
8.8.8.8:53 0 41 1
This is exactly what I want. However, here's an example of an inbound flow:
Flow 4
Flow Id: 2892805
SrcAddr: YYY.YY.YY.203 (YYY.YY.YY.203)
SrcPort: 56145
InputInt: 2
DstAddr: XXX.XX.XX.10 (XXX.XX.XX.10)<< firewall outside
public IP
DstPort: 80
OutputInt: 11
Protocol: 6
IPv4 ICMP Type: 0
IPv4 ICMP Code: 0
Post NAT Source IPv4 Address: YYY.YY.YY.203 (YYY.YY.YY.203)
Post NAT Destination IPv4 Address: 192.168.10.104
(192.168.10.104) << real server IP
Post NAPT Source Transport Port: 56145
Post NAPT Destination Transport Port: 80
Firewall Event: Unknown (5)
Extended firewall event code: ignore (0)
Observation Time Milliseconds: Nov 19, 2013
13:56:25.464000000 GMT
Initiator Octets: 1293
Responder Octets: 660
StartTime: Nov 19, 2013 13:55:24.273000000 GMT
nfdump reports this as:
Date first seen Duration Proto Src IP Addr:Port
Dst IP Addr:Port Packets Bytes Flows
2013-11-19 13:55:24.273 0.000 TCP YYY.YY.YY.203:56145 ->
XXX.XX.XX.10:80 0 1293 1
or with -o raw:
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 56
first = 1384869324 [2013-11-19 13:55:24]
last = 1384869324 [2013-11-19 13:55:24]
msec_first = 273
msec_last = 273
src addr = YYY.YY.YY.203
dst addr = XXX.XX.XX.10
src port = 56145
dst port = 80
fwd status = 0
tcp flags = 0x00 ......
proto = 6 TCP
(src)tos = 0
(in)packets = 0
(in)bytes = 1293
input = 2
output = 11
This is much less useful, as it shows only the public IP for the
incoming connection - I would much rather see the private address.
[Aside: only the 'in' bytes are recorded, but that's a different issue]
It gets more confusing if there is inbound port mapping as well. Here,
an incoming session to port 2222 is NAT'd to port 22:
FlowSet 2
FlowSet Id: (Data) (260)
FlowSet Length: 72
Flow 1
SrcAddr: YYY.YY.YY.120 (YYY.YY.YY.120)
SrcPort: 56026
InputInt: 2
DstAddr: XXX.XX.XX.8 (XXX.XX.XX.8)
DstPort: 2222
OutputInt: 13
Protocol: 6
IPv4 ICMP Type: 0
IPv4 ICMP Code: 0
Post NAT Source IPv4 Address: YYY.YY.YY.120 (YYY.YY.YY.120)
Post NAT Destination IPv4 Address: 192.168.5.110
(192.168.5.110)
Post NAPT Source Transport Port: 56026
Post NAPT Destination Transport Port: 22
Firewall Event: Flow denied (3)
Extended firewall event code: Flow denied by an ingress ACL
(1001)
Observation Time Milliseconds: Nov 19, 2013
14:09:59.749000000 GMT
Ingress ACL ID: 266a12c40000000000000000
Egress ACL ID: 000000000000000000000000
Padding (2 bytes)
However nfdump shows the session to XXX.XX.XX.8:2222
Date first seen Duration Proto Src IP Addr:Port
Dst IP Addr:Port Packets Bytes Flows
2013-11-19 14:09:59.749 0.000 TCP YYY.YY.YY.120:56026 ->
XXX.XX.XX.8:11122 0 0 1
or with -o raw:
Flow Record:
Flags = 0x06 FLOW, Unsampled
export sysid = 1
size = 56
first = 1384870199 [2013-11-19 14:09:59]
last = 1384870199 [2013-11-19 14:09:59]
msec_first = 749
msec_last = 749
src addr = YYY.YY.YY.120
dst addr = XXX.XX.XX.8
src port = 56026
dst port = 11122
fwd status = 0
tcp flags = 0x00 ......
proto = 6 TCP
(src)tos = 0
(in)packets = 0
(in)bytes = 0
input = 2
output = 13
Again, I'd rather see the private IP and the real port 22.
I think the way to achieve this would be:
* nfdump src addr and src port to remain "SrcAddr" and "SrcPort" as today
* nfdump dst addr and dst port to be "Post NAT Destination IPv4 Address"
and "Post NAPT Destination Transport Port" if those fields are present,
otherwise fall back to DstAddr and DstPort.
Does that seem reasonable?
Note: the running nfcapd command line is:
/usr/local/bin/nfcapd -w -D -p 9001 -u netflow -g www-data -B 200000 -S
1 -P /var/nfsen/var/run/p9001.pid -z -I asa1 -l
/var/nfsen/profiles-data/live/asa1
If I try setting
$EXTENSIONS='NSEL';
then it's rejected:
Starting nfcapd:(asa1)Extension format error: Unexpected string: NSEL.
I can set
$EXTENSIONS = '+27,+28';
which gives a command line with -T +27,+28, but I don't see any
difference in the output of nfdump -o raw, i.e. no additional fields for
translated addresses or ports.
Regards,
Brian.
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
