[netsa-tools-discuss] Store all IPFIX flows from NAT
Alexander Khokhlov
hohlovap at gmail.com
Tue Jun 19 04:13:46 EDT 2018
Hi, thanks, yes, all according to
https://www.iana.org/assignments/ipfix/ipfix.xhtml
Flow data coming by UDP
Today data stored in MySQL by nfacct but it is take too much disk space.
And we try to find better solution to reduce disk space usage.
p.s. Sorry, for my english)
2018-06-19 0:11 GMT+03:00 Sal Ingrilli <shortpasta at yahoo.com>:
> I have a tool that can collect all elements.
>
> Are you talking about elements 225-228 and 323 as defined here?
> https://www.iana.org/assignments/ipfix/ipfix.xhtml
>
> How is the flow data coming into the system?
> UDP, PCAP, other?
>
> How do you need the data out?
> CSV, sql database, other?
>
>
> On Monday, June 18, 2018, 1:59:44 PM PDT, Mark Thomas <mthomas at cert.org>
> wrote:
>
>
> No, SiLK does not have support for capturing those information
> elements.
>
> -Mark
>
>
> -----Original Message-----
> From: Alexander Khokhlov <hohlovap at gmail.com>
> Date: Mon, 18 Jun 2018 17:10:59 +0300
> To: <netsa-tools-discuss at cert.org>
> Subject: [netsa-tools-discuss] Store all IPFIX flows from NAT
>
> Hello, I need to collect and store IPFIX flows from NAT servers.
> Is it possible to collect IE 225-228,323? Please help, cant handle it!
>
> Jun 18 16:50:07 s078r rwflowpack[27567]:
> IGNORED|10.203.9.160|46.173.38.219|57099|41328|6|0|0|no forward/reverse
> octets|
> Jun 18 16:50:07 s078r rwflowpack[27567]: IPFIX Message out of sequence (in
> domain 00000000, expected 19369e1b, got 469de6cb)
> Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
> Contains 11 Elements, Enabled by SILK_IPFIX_PRINT_TEMPLATES
> Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
> Position 0, Length 8, IE 323, Name observationTimeMilliseconds
> Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
> Position 1, Length 4, IE 8, Name sourceIPv4Address
> Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
> Position 2, Length 4, IE 12, Name destinationIPv4Address
> Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
> Position 3, Length 4, IE 225, Name postNATSourceIPv4Address
> Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
> Position 4, Length 4, IE 226, Name
> postNATDestinationIPv4Address
> Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
> Position 5, Length 2, IE 7, Name sourceTransportPort
> Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
> Position 6, Length 2, IE 11, Name destinationTransportPort
> Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
> Position 7, Length 2, IE 227, Name postNAPTSourceTransportPort
> Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
> Position 8, Length 2, IE 228, Name
> postNAPTDestinationTransportPort
> Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
> Position 9, Length 1, IE 4, Name protocolIdentifier
> Jun 18 16:50:07 s078r rwflowpack[27567]: Domain 000000, TemplateID 0X0102,
> Position 10, Length 1, IE 230, Name natEvent
> Jun 18 16:50:07 s078r rwflowpack[27567]:
> IGNORED|10.202.181.195|80.77.168.44|37680|80|6|0|0|no forward/reverse
> octets|
> Jun 18 16:50:07 s078r rwflowpack[27567]:
> IGNORED|10.202.180.217|149.154.175.50|55263|443|6|0|0|no forward/reverse
> octets|
> Jun 18 16:50:07 s078r rwflowpack[27567]:
> IGNORED|10.202.148.162|149.154.167.91|55439|5222|6|0|0|no forward/reverse
> octets|
> Jun 18 16:50:07 s078r rwflowpack[27567]:
> IGNORED|10.202.157.221|94.100.180.26|54182|80|6|0|0|no forward/reverse
> octets|
> Jun 18 16:50:07 s078r rwflowpack[27567]:
> IGNORED|10.201.6.97|149.154.167.51|19207|443|6|0|0|no forward/reverse
> octets|
>
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list