[netsa-tools-discuss] Accessing translated src/dst address fields?
Brian Candler
b.candler at pobox.com
Fri Jan 28 12:45:42 EST 2022
On 28/01/2022 16:59, Mark Thomas wrote:
> SiLK uses a fixed record template, and that template largely ignores the deep packet inspection fields ("rich fields") exported by YAF.
>
> Unfortunately, there is no way to get the translated address fields into SiLK.
Thank you.
In that case, I'm wondering what's the simplest way to store and query
complete IPFIX data.
As far as I can tell, the input to yaf has to be PCAP. If my flows come
from a router or firewall, is there a tool which receives IPFIX records
over the network and just writes IPFIX files to disk? (Preferably split
into files by time, like rwflowpack does)
Are there tools in the suite which can filter and aggregate records from
IPFIX files? I see yaf itself has a "--filter" option, but again, it
looks like the input has to be PCAP.
Or is this the wrong approach, and you would typically push these IPFIX
records into something bigger like Spark+Mothra?
> In addition, I do not think YAF exports those elements based on my inspection of the YAF source code, where I do not see the elements mentioned anywhere either by ID (225--228) or by name (postNATSourceIPv4Address).
That's fine, I wouldn't expect a passive collector like YAF to do this.
Only a device which actually NATs the packets will know what they were
before and after. This is mainly useful when generating flow records
from a firewall like a Cisco ASA.
Regards,
Brian.
More information about the netsa-tools-discuss
mailing list