[netsa-tools-discuss] Accessing translated src/dst address fields?
Brian Candler
b.candler at pobox.com
Thu Jan 27 09:38:18 EST 2022
I am trying out SiLK, as an alternative to nfdump that I've been using
until now.
In the IPFIX records from my router, I get translated (NAT) source and
dest addresses in addition to plain source and destination addresses.
However I've been unable to work out if I can retrieve these in SiLK.
Table 1.1 in the "analysis handbook" doesn't show them, nor does "rwcut
--help-fields". OTOH, I read that yaf can generate very rich IPFIX data
with all sorts of deep-packet decoding, so I would expect SiLK to be
able to store this data somehow.
At the end of this mail I have attached a couple of sample flow records
captured by tshark.
nfdump (compiled with --enable-nsel) displays these extra fields as
"X-Src" and "X-Dst":
** nfdump -M /var/nfsen/profiles-data/live/gw1:gw2 -T -r 2022/01/27/nfcapd.202201271350 -c 20
nfdump filter:
host 8.8.8.8
Date first seen Event XEvent Proto Src IP Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port In Byte Out Byte
2022-01-27 13:50:13.970 INVALID Ignore ICMP8.8.8.8:0 <http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> ->XX.XXX.XXX.XXX <http://nfsen.home.deploy2.net/nfsen/nfsen.php#null>:0.0 <http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> 8.8.8.8:0 <http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> ->10.12.0.100:0 <http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> 252 0
2022-01-27 13:50:13.970 INVALID Ignore ICMP10.12.0.100:0 <http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> ->8.8.8.8:0.0 <http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> XX.XXX.XXX.XXX:0 <http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> ->8.8.8.8:0 <http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> 252 0
In short: are these fields stored in SiLK, and if so, how do I access them?
Thanks,
Brian.
-=-=-=-=-=-
IPFIX decoded by: tshark -i eth0 -nnV -s0 -d udp.port==18001,cflow udp
port 18001
Traffic generated by: ping -c3 8.8.8.8
Flow 4
IPVersion: 4
[Duration: 1.010000000 seconds (switched)]
StartTime: 1653060.304000000 seconds
EndTime: 1653061.314000000 seconds
System Init Time: Jan 8, 2022 10:39:14.036000000 UTC
Packets: 3
Octets: 252
SrcPort: 0
DstPort: 0
InputInt: 13
OutputInt: 18
Protocol: ICMP (1)
IP ToS: 0x50
TCP Flags: 0x00
00.. .... = Reserved: 0x0
..0. .... = URG: Not used
...0 .... = ACK: Not used
.... 0... = PSH: Not used
.... .0.. = RST: Not used
.... ..0. = SYN: Not used
.... ...0 = FIN: Not used
Post Destination Mac Address: 00:00:00:00:00:00
Destination Mac Address: 00:00:00:00:00:00
Post Source Mac Address: 48:8f:5a:9c:3a:06
Source Mac Address: 14:7b:ac:b2:f7:12
SrcAddr: 8.8.8.8
DstAddr: <SNIP-my-public-IP>
NextHop: 10.12.0.100
SrcMask: 0
DstMask: 0
IP TTL: 120
IsMulticast: 0x00
IP Header Length: 5
IP Total Length: 84
UDP Length: 0
TCP Sequence Number: 0
TCP Acknowledgement Number: 0
TCP Windows Size: 0
IGMP Type: 0
IPv4 ICMP Type: 0
IPv4 ICMP Code: 0
* Post NAT Source IPv4 Address: 8.8.8.8**
** Post NAT Destination IPv4 Address: 10.12.0.100*
Post NAPT Source Transport Port: 0
Post NAPT Destination Transport Port: 0
Flow 5
IPVersion: 4
[Duration: 2.010000000 seconds (switched)]
StartTime: 1653060.304000000 seconds
EndTime: 1653062.314000000 seconds
System Init Time: Jan 8, 2022 10:39:14.036000000 UTC
Packets: 3
Octets: 252
SrcPort: 0
DstPort: 0
InputInt: 18
OutputInt: 13
Protocol: ICMP (1)
IP ToS: 0x00
TCP Flags: 0x00
00.. .... = Reserved: 0x0
..0. .... = URG: Not used
...0 .... = ACK: Not used
.... 0... = PSH: Not used
.... .0.. = RST: Not used
.... ..0. = SYN: Not used
.... ...0 = FIN: Not used
Post Destination Mac Address: 00:00:00:00:00:00
Destination Mac Address: 48:8f:5a:9c:3a:06
Post Source Mac Address: 00:00:00:00:00:00
Source Mac Address: 00:00:00:00:00:00
SrcAddr: 10.12.0.100
DstAddr: 8.8.8.8
NextHop: 8.8.8.8
SrcMask: 0
DstMask: 0
IP TTL: 63
IsMulticast: 0x00
IP Header Length: 5
IP Total Length: 84
UDP Length: 0
TCP Sequence Number: 0
TCP Acknowledgement Number: 0
TCP Windows Size: 0
IGMP Type: 0
IPv4 ICMP Type: 8
IPv4 ICMP Code: 0
* Post NAT Source IPv4 Address: <SNIP-my-public-IP>**
** Post NAT Destination IPv4 Address: 8.8.8.8*
Post NAPT Source Transport Port: 0
Post NAPT Destination Transport Port: 0
Looking at nfdump source, I believe these are the tags:
#define NF_F_XLATE_SRC_ADDR_IPV4 225
#define NF_F_XLATE_DST_ADDR_IPV4 226
#define NF_F_XLATE_SRC_PORT 227
#define NF_F_XLATE_DST_PORT 228
with additional compatibility values for ASA 8.4 NSEL:
#define NF_F_XLATE_SRC_ADDR_84 40001
#define NF_F_XLATE_DST_ADDR_84 40002
#define NF_F_XLATE_SRC_PORT_84 40003
#define NF_F_XLATE_DST_PORT_84 40004
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list