[netsa-tools-discuss] Store all IPFIX flows from NAT

Sal Ingrilli shortpasta at yahoo.com
Mon Jun 18 17:11:52 EDT 2018 

 I have a tool that can collect all elements.
Are you talking about elements 225-228 and 323 as defined here?https://www.iana.org/assignments/ipfix/ipfix.xhtml

How is the flow data coming into the system?UDP, PCAP, other?
How do you need the data out?CSV, sql database, other?

    On Monday, June 18, 2018, 1:59:44 PM PDT, Mark Thomas <mthomas at cert.org> wrote:  
 
 No, SiLK does not have support for capturing those information
elements.

-Mark


-----Original Message-----
From: Alexander Khokhlov <hohlovap at gmail.com>
Date: Mon, 18 Jun 2018 17:10:59 +0300
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] Store all IPFIX flows from NAT

Hello, I need to collect and store IPFIX flows from NAT servers.
Is it possible to collect IE 225-228,323? Please help, cant handle it!

Jun 18 16:50:07 s078r rwflowpack[27567]:
IGNORED|10.203.9.160|46.173.38.219|57099|41328|6|0|0|no forward/reverse
octets|
Jun 18 16:50:07 s078r rwflowpack[27567]: IPFIX Message out of sequence (in
domain 00000000, expected 19369e1b, got 469de6cb)
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Contains 11 Elements, Enabled by SILK_IPFIX_PRINT_TEMPLATES
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position  0, Length    8, IE        323, Name observationTimeMilliseconds
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position  1, Length    4, IE          8, Name sourceIPv4Address
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position  2, Length    4, IE          12, Name destinationIPv4Address
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position  3, Length    4, IE        225, Name postNATSourceIPv4Address
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position  4, Length    4, IE        226, Name
postNATDestinationIPv4Address
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position  5, Length    2, IE          7, Name sourceTransportPort
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position  6, Length    2, IE          11, Name destinationTransportPort
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position  7, Length    2, IE        227, Name postNAPTSourceTransportPort
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position  8, Length    2, IE        228, Name
postNAPTDestinationTransportPort
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position  9, Length    1, IE          4, Name protocolIdentifier
Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
Position  10, Length    1, IE        230, Name natEvent
Jun 18 16:50:07 s078r rwflowpack[27567]:
IGNORED|10.202.181.195|80.77.168.44|37680|80|6|0|0|no forward/reverse
octets|
Jun 18 16:50:07 s078r rwflowpack[27567]:
IGNORED|10.202.180.217|149.154.175.50|55263|443|6|0|0|no forward/reverse
octets|
Jun 18 16:50:07 s078r rwflowpack[27567]:
IGNORED|10.202.148.162|149.154.167.91|55439|5222|6|0|0|no forward/reverse
octets|
Jun 18 16:50:07 s078r rwflowpack[27567]:
IGNORED|10.202.157.221|94.100.180.26|54182|80|6|0|0|no forward/reverse
octets|
Jun 18 16:50:07 s078r rwflowpack[27567]:
IGNORED|10.201.6.97|149.154.167.51|19207|443|6|0|0|no forward/reverse
octets|
  
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list