[netsa-tools-discuss] Accessing translated src/dst address fields?
Mark Thomas
mthomas at cert.org
Fri Jan 28 11:59:24 EST 2022
Brian-
Thank you for the question.
SiLK uses a fixed record template, and that template largely ignores the deep packet inspection fields ("rich fields") exported by YAF.
Unfortunately, there is no way to get the translated address fields into SiLK.
In addition, I do not think YAF exports those elements based on my inspection of the YAF source code, where I do not see the elements mentioned anywhere either by ID (225--228) or by name (postNATSourceIPv4Address).
-Mark
-----Original Message-----
From: Brian Candler <b.candler at pobox.com>
Date: Thu, 27 Jan 2022 14:38:18 +0000
To: netsa-tools-discuss at cert.org
Subject: [netsa-tools-discuss] Accessing translated src/dst address fields?
I am trying out SiLK, as an alternative to nfdump that I've been using
until now.
In the IPFIX records from my router, I get translated (NAT) source and
dest addresses in addition to plain source and destination addresses.
However I've been unable to work out if I can retrieve these in SiLK.
Table 1.1 in the "analysis handbook" doesn't show them, nor does "rwcut
--help-fields". OTOH, I read that yaf can generate very rich IPFIX data
with all sorts of deep-packet decoding, so I would expect SiLK to be
able to store this data somehow.
At the end of this mail I have attached a couple of sample flow records
captured by tshark.
nfdump (compiled with --enable-nsel) displays these extra fields as
"X-Src" and "X-Dst":
** nfdump -M /var/nfsen/profiles-data/live/gw1:gw2 -T -r 2022/01/27/nfcapd.202201271350 -c 20
nfdump filter:
host 8.8.8.8
Date first seen Event XEvent Proto Src IP Addr:Port Dst IP Addr:Port
X-Src IP Addr:Port X-Dst IP Addr:Port In Byte Out Byte
2022-01-27 13:50:13.970 INVALID Ignore ICMP8.8.8.8:0
<http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> ->XX.XXX.XXX.XXX
<http://nfsen.home.deploy2.net/nfsen/nfsen.php#null>:0.0
<http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> 8.8.8.8:0
<http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> ->10.12.0.100:0
<http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> 252 0
2022-01-27 13:50:13.970 INVALID Ignore ICMP10.12.0.100:0
<http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> ->8.8.8.8:0.0
<http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> XX.XXX.XXX.XXX:0
<http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> ->8.8.8.8:0
<http://nfsen.home.deploy2.net/nfsen/nfsen.php#null> 252 0
In short: are these fields stored in SiLK, and if so, how do I access them?
Thanks,
Brian.
-=-=-=-=-=-
IPFIX decoded by: tshark -i eth0 -nnV -s0 -d udp.port==18001,cflow udp
port 18001
Traffic generated by: ping -c3 8.8.8.8
Flow 4
IPVersion: 4
[Duration: 1.010000000 seconds (switched)]
StartTime: 1653060.304000000 seconds
EndTime: 1653061.314000000 seconds
System Init Time: Jan 8, 2022 10:39:14.036000000 UTC
Packets: 3
Octets: 252
SrcPort: 0
DstPort: 0
InputInt: 13
OutputInt: 18
Protocol: ICMP (1)
IP ToS: 0x50
TCP Flags: 0x00
00.. .... = Reserved: 0x0
..0. .... = URG: Not used
...0 .... = ACK: Not used
.... 0... = PSH: Not used
.... .0.. = RST: Not used
.... ..0. = SYN: Not used
.... ...0 = FIN: Not used
Post Destination Mac Address: 00:00:00:00:00:00
Destination Mac Address: 00:00:00:00:00:00
Post Source Mac Address: 48:8f:5a:9c:3a:06
Source Mac Address: 14:7b:ac:b2:f7:12
SrcAddr: 8.8.8.8
DstAddr: <SNIP-my-public-IP>
NextHop: 10.12.0.100
SrcMask: 0
DstMask: 0
IP TTL: 120
IsMulticast: 0x00
IP Header Length: 5
IP Total Length: 84
UDP Length: 0
TCP Sequence Number: 0
TCP Acknowledgement Number: 0
TCP Windows Size: 0
IGMP Type: 0
IPv4 ICMP Type: 0
IPv4 ICMP Code: 0
* Post NAT Source IPv4 Address: 8.8.8.8**
** Post NAT Destination IPv4 Address: 10.12.0.100*
Post NAPT Source Transport Port: 0
Post NAPT Destination Transport Port: 0
Flow 5
IPVersion: 4
[Duration: 2.010000000 seconds (switched)]
StartTime: 1653060.304000000 seconds
EndTime: 1653062.314000000 seconds
System Init Time: Jan 8, 2022 10:39:14.036000000 UTC
Packets: 3
Octets: 252
SrcPort: 0
DstPort: 0
InputInt: 18
OutputInt: 13
Protocol: ICMP (1)
IP ToS: 0x00
TCP Flags: 0x00
00.. .... = Reserved: 0x0
..0. .... = URG: Not used
...0 .... = ACK: Not used
.... 0... = PSH: Not used
.... .0.. = RST: Not used
.... ..0. = SYN: Not used
.... ...0 = FIN: Not used
Post Destination Mac Address: 00:00:00:00:00:00
Destination Mac Address: 48:8f:5a:9c:3a:06
Post Source Mac Address: 00:00:00:00:00:00
Source Mac Address: 00:00:00:00:00:00
SrcAddr: 10.12.0.100
DstAddr: 8.8.8.8
NextHop: 8.8.8.8
SrcMask: 0
DstMask: 0
IP TTL: 63
IsMulticast: 0x00
IP Header Length: 5
IP Total Length: 84
UDP Length: 0
TCP Sequence Number: 0
TCP Acknowledgement Number: 0
TCP Windows Size: 0
IGMP Type: 0
IPv4 ICMP Type: 8
IPv4 ICMP Code: 0
* Post NAT Source IPv4 Address: <SNIP-my-public-IP>**
** Post NAT Destination IPv4 Address: 8.8.8.8*
Post NAPT Source Transport Port: 0
Post NAPT Destination Transport Port: 0
Looking at nfdump source, I believe these are the tags:
#define NF_F_XLATE_SRC_ADDR_IPV4 225
#define NF_F_XLATE_DST_ADDR_IPV4 226
#define NF_F_XLATE_SRC_PORT 227
#define NF_F_XLATE_DST_PORT 228
with additional compatibility values for ASA 8.4 NSEL:
#define NF_F_XLATE_SRC_ADDR_84 40001
#define NF_F_XLATE_DST_ADDR_84 40002
#define NF_F_XLATE_SRC_PORT_84 40003
#define NF_F_XLATE_DST_PORT_84 40004
More information about the netsa-tools-discuss
mailing list