[netsa-tools-discuss] Store all IPFIX flows from NAT
Mark Thomas
mthomas at cert.org
Mon Jun 18 16:59:20 EDT 2018
No, SiLK does not have support for capturing those information
elements.
-Mark
-----Original Message-----
From: Alexander Khokhlov <hohlovap at gmail.com>
Date: Mon, 18 Jun 2018 17:10:59 +0300
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] Store all IPFIX flows from NAT
Hello, I need to collect and store IPFIX flows from NAT servers.
Is it possible to collect IE 225-228,323? Please help, cant handle it!
Jun 18 16:50:07 s078r rwflowpack[27567]:
IGNORED|10.203.9.160|46.173.38.219|57099|41328|6|0|0|no forward/reverse
octets|
Jun 18 16:50:07 s078r rwflowpack[27567]: IPFIX Message out of sequence (in
domain 00000000, expected 19369e1b, got 469de6cb)
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Contains 11 Elements, Enabled by SILK_IPFIX_PRINT_TEMPLATES
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position 0, Length 8, IE 323, Name observationTimeMilliseconds
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position 1, Length 4, IE 8, Name sourceIPv4Address
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position 2, Length 4, IE 12, Name destinationIPv4Address
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position 3, Length 4, IE 225, Name postNATSourceIPv4Address
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position 4, Length 4, IE 226, Name
postNATDestinationIPv4Address
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position 5, Length 2, IE 7, Name sourceTransportPort
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position 6, Length 2, IE 11, Name destinationTransportPort
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position 7, Length 2, IE 227, Name postNAPTSourceTransportPort
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position 8, Length 2, IE 228, Name
postNAPTDestinationTransportPort
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position 9, Length 1, IE 4, Name protocolIdentifier
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position 10, Length 1, IE 230, Name natEvent
Jun 18 16:50:07 s078r rwflowpack[27567]:
IGNORED|10.202.181.195|80.77.168.44|37680|80|6|0|0|no forward/reverse
octets|
Jun 18 16:50:07 s078r rwflowpack[27567]:
IGNORED|10.202.180.217|149.154.175.50|55263|443|6|0|0|no forward/reverse
octets|
Jun 18 16:50:07 s078r rwflowpack[27567]:
IGNORED|10.202.148.162|149.154.167.91|55439|5222|6|0|0|no forward/reverse
octets|
Jun 18 16:50:07 s078r rwflowpack[27567]:
IGNORED|10.202.157.221|94.100.180.26|54182|80|6|0|0|no forward/reverse
octets|
Jun 18 16:50:07 s078r rwflowpack[27567]:
IGNORED|10.201.6.97|149.154.167.51|19207|443|6|0|0|no forward/reverse
octets|
More information about the netsa-tools-discuss
mailing list