I've been trying for a while to figure out if NFDUMP will allow me to tie
the pre and post NAT traffic together. A recent recomplie has added a X-src
and X-Dst (I think this is for Cisco ASA).
I am using Cisco IOS with Netflow v9. I compiled nfdump with
--enable-nfprofile --enable-nftrack --enable-nsel and --enable-sel.
Thanks for any help.
Aggregated flows 1045
Top 100 flows ordered by flows:
Date first seen Event XEvent Proto Src IP Addr:Port
Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port In Byte
Out Byte
2015-03-04 09:49:25.676 INVALID Ignore TCP 74.125.196.188:443 ->
204.116.93.xxx:62819 0.0.0.0:0 -> 0.0.0.0:0
364 0
2015-03-04 09:49:38.604 INVALID Ignore TCP 204.116.93.xxx:2163 ->
108.160.170.49:443 0.0.0.0:0 -> 0.0.0.0:0
2926 0
2015-03-04 09:49:38.600 INVALID Ignore TCP 108.160.170.49:443 ->
204.116.93.xxx:2163 0.0.0.0:0 -> 0.0.0.0:0
2499 0
2015-03-04 09:49:38.604 INVALID Ignore TCP 192.168.1.65:2163 ->
108.160.170.49:443 0.0.0.0:0 -> 0.0.0.0:0
2926 0
2015-03-04 09:49:25.640 INVALID Ignore TCP 192.168.2.19:62819 ->
74.125.196.188:443 0.0.0.0:0 -> 0.0.0.0:0
287 0
2015-03-04 09:49:25.640 INVALID Ignore TCP 204.116.93.xxx:62819 ->
74.125.196.188:443 0.0.0.0:0 -> 0.0.0.0:0
287 0
2015-03-04 09:49:21.697 INVALID Ignore TCP 204.116.93.xxx:2835
-> 31.13.73.1:443 0.0.0.0:0 -> 0.0.0.0:0
16798 0
2015-03-04 09:49:42.691 INVALID Ignore TCP 204.116.93.xxx:49280 ->
108.160.169.188:443 0.0.0.0:0 -> 0.0.0.0:0
3696 0
2015-03-04 09:49:42.691 INVALID Ignore TCP 192.168.2.15:49280 ->
108.160.169.188:443 0.0.0.0:0 -> 0.0.0.0:0
3696 0
2015-03-04 09:49:42.402 INVALID Ignore TCP 108.160.169.188:443 ->
204.116.93.xxx:49280 0.0.0.0:0 -> 0.0.0.0:0
2819 0
2015-03-04 09:49:21.693 INVALID Ignore TCP 192.168.3.23:2835
-> 31.13.73.1:443 0.0.0.0:0 -> 0.0.0.0:0
16798 0
2015-03-04 09:50:08.285 INVALID Ignore TCP 192.168.3.23:1502 ->
64.53.32.162:80 0.0.0.0:0 -> 0.0.0.0:0
11124 0
2015-03-04 09:49:29.183 INVALID Ignore TCP 204.116.93.xxx:39461 ->
54.164.36.33:80 0.0.0.0:0 -> 0.0.0.0:0
2075 0
2015-03-04 09:50:22.440 INVALID Ignore TCP 54.164.36.33:80 ->
204.116.93.xxx:60078 0.0.0.0:0 -> 0.0.0.0:0
1894 0
2015-03-04 09:50:20.381 INVALID Ignore TCP 54.164.36.33:80 ->
204.116.93.xxx:33010 0.0.0.0:0 -> 0.0.0.0:0
1821 0
2015-03-04 09:50:20.381 INVALID Ignore TCP 192.168.2.24:33010 ->
54.164.36.33:80 0.0.0.0:0 -> 0.0.0.0:0
2082 0
2015-03-04 09:49:43.609 INVALID Ignore TCP 204.116.93.xxx:51530 ->
54.152.1.242:443 0.0.0.0:0 -> 0.0.0.0:0
457 0
2015-03-04 09:49:29.183 INVALID Ignore TCP 192.168.2.14:39461 ->
54.164.36.33:80 0.0.0.0:0 -> 0.0.0.0:0
2075 0
2015-03-04 09:49:53.412 INVALID Ignore TCP 204.116.93.xxx:40733 ->
54.164.36.33:80 0.0.0.0:0 -> 0.0.0.0:0
2231 0
2015-03-04 09:49:43.778 INVALID Ignore TCP 192.168.1.62:51529 ->
54.152.187.227:443 0.0.0.0:0 -> 0.0.0.0:0
405 0
2015-03-04 09:50:08.289 INVALID Ignore TCP 204.116.93.xxx:1502 ->
64.53.32.162:80 0.0.0.0:0 -> 0.0.0.0:0
11124 0
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
