[Nfdump-discuss] NFDump post NAT IP address

[Alexander Khokhlov]

Hello!

I have a task to save IP_SRC_ADDR, IP_DST_ADDR, postNATSourceIPv4Address
and postNATDestinationIPv4Address. These fields are present in tcpdump. In
the output of nfdump these NAT addresses are missing. Please help to solve
this problem.



nfcapd: Version: 1.6.15

nfcapd -e -z -w -t 60 -l /netflow/test -b 10.0.0.118 -p 9995 -E -T all -B
200000

Process_ipfix: [0] Add template 258



After start of nfcapd errors appear



Process_ipfix: [0] option template length error: size left 20 too small for
5 scopes length and 1 options length



Flow Record:

  Flags        =              0x06 FLOW, Unsampled

  export sysid =                 2

  size         =                68

  first        =                 0 [1970-01-01 03:00:00]

  last         =                 0 [1970-01-01 03:00:00]

  msec_first   =                 0

  msec_last    =                 0

  src addr     =    10.0.176.236

  dst addr     =     54.194.31.135

  src port     =             56428

  dst port     =                80

  fwd status   =                 0

  tcp flags    =              0x00 ......

  proto        =                 6 TCP

  (src)tos     =                 0

  (in)packets  =                 0

  (in)bytes    =                 0

  ip router    =       X.X.X.X

  received at  =     1489584299366 [2017-03-15 16:24:59.366]



tcpdump output



Set 1 [id=2] (Data Template): 258

    FlowSet Id: Data Template (V10 [IPFIX]) (2)

    FlowSet Length: 52

    Template (Id = 258, Count = 11)

        Template Id: 258

        Field Count: 11

        Field (1/11): observationTimeMilliseconds

        Field (2/11): IP_SRC_ADDR

        Field (3/11): IP_DST_ADDR

        Field (4/11): postNATSourceIPv4Address

        Field (5/11): postNATDestinationIPv4Address

        Field (6/11): L4_SRC_PORT

        Field (7/11): L4_DST_PORT

        Field (8/11): postNAPTSourceTransportPort

        Field (9/11): postNAPTDestinationTransportPort

        Field (10/11): PROTOCOL

        Field (11/11): natEvent



Flow 1

    Observation Time Milliseconds: Mar  6, 2017 15:50:01.892000000 RTZ 2
(зима)

    SrcAddr: 10.0.166.44

    DstAddr: 104.157.28.150

    Post NAT Source IPv4 Address: X.X.X.X

    Post NAT Destination IPv4 Address: 104.157.28.150

    SrcPort: 17043

    DstPort: 22675

    Post NAPT Source Transport Port: 17043

    Post NAPT Destination Transport Port: 22675

    Protocol: UDP (17)

    Nat Event: 2



nfdump -r nfcapd.201703151624 -o "fmt:%nsa:%nsp => %nda:%ndp" -c 10

   X-late Src IP XsPort       X-late Dst IP XdPort

         0.0.0.0:     0 =>          0.0.0.0:     0

         0.0.0.0:     0 =>          0.0.0.0:     0

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss