NetFlow/IPFIX iptables module / Bugs/Requests/Patches / #77 natevent is not working

ABC - 2015-03-23

Does this server perform nat translation or it's performed on other server?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Sonny - 2015-03-24

Is in this server perform nat .
And i have enable IMQ, pppoe-server in this server .

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

ABC - 2015-03-24

Can you install conntrack-tools (you may have it in your distro), then run conntrack -E and observe if there is events going on.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Sonny - 2015-03-25

After install contract-tools

this is the message
[NEW] icmp 1 30 src=172.17.16.36 dst=211.28.128.5 type=8 code=0 id=1 [UNREPLIED] src=211.28.128.5 dst=43.129.46.11 type=0 code=0 id=1
[UPDATE] icmp 1 30 src=172.17.16.36 dst=211.28.128.5 type=8 code=0 id=1 src=211.28.128.5 dst=43.129.46.11 type=0 code=0 id=1
[DESTROY] icmp 1 src=172.17.16.36 dst=211.28.128.5 type=8 code=0 id=1 packets=1 bytes=60 src=211.28.128.5 dst=43.129.46.11 type=0 code=0 id=1 packets=1 bytes=60

my distro is Fedora 11
also i have update package as below
libnfnetlink
libmnl
libnetfilter_conntrack-1.0.4
libnetfilter_queue-1.0.2.tar.bz2
libnetfilter_cttimeout-1.0.0
libnetfilter_cthelper-1.0.0.tar

But when i reboot , conntrack -E will not display any message , before i run iptstate.

ipt_NETFLOW 2.1, srcversion 89556420DEF91883C3D504B; dir mac nel
Protocol version 9 (netflow), refresh-rate 20, timeout-rate 30, (templates 26, active 9).
Timeouts: active 15s, inactive 15s. Maxflows 2000000
Natevents enabled, count start 0, stop 0.
Flows: active 116 (peak 358 reached 0d0h16m ago), mem 640K, worker delay 100/1000 [1..100] (86 ms, 0 us, 93:0 [cpu2]).

Natevents counter still 0

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

ABC - 2015-04-01

labels: --> nel

assigned_to: ABC
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Thanks! This is rather strange. I will think about it.

I am give up for Fedora .
Right now use Centos 6 + ipt_netflow + nfsen+ nfdump

ipt_netflow and nat event is working

ipt_NETFLOW 2.1, srcversion 89556420DEF91883C3D504B; dir llist nel
Protocol version 9 (netflow), refresh-rate 20, timeout-rate 30, (templates 7, active 7).
Timeouts: active 1800s, inactive 15s. Maxflows 1048576
Natevents enabled, count start 541916, stop 533890.
Flows: active 4681 (peak 8597 reached 0d0h2m ago), mem 5851K, worker delay 100/1000 [1..100] (66 ms, 0 us, 284:0 0 [cpu5]).
Hash: size 655360 (mem 5120K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 4052284 pkt, 3751138 K, InPDU 84, 17580.
Rate: 117368358 bits/sec, 15080 packets/sec; Avg 1 min: 118310168 bps, 15548 pps; 5 min: 128957579 bps, 16698 pps
cpu#     pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes>
Total  15079; 634867 164423542 1737160 [1.00],    0    0    0    0, traffic: 166160702, 153082 MB, drop: 0, 0 K
cpu0    5852; 300075 75799203 509485 [1.00],    0    0    0    0, traffic: 76308688, 108898 MB, drop: 0, 0 K
cpu1       0;      0     19      2 [1.00],    0    0    0    0, traffic: 21, 0 MB, drop: 0, 0 K
cpu2    3788;  64827 24325931 362902 [1.00],    0    0    0    0, traffic: 24688833, 35641 MB, drop: 0, 0 K
cpu3       0;      0    198      0 [1.00],    0    0    0    0, traffic: 198, 0 MB, drop: 0, 0 K
cpu4       0;      0      8      0 [1.00],    0    0    0    0, traffic: 8, 0 MB, drop: 0, 0 K
cpu5      11;    832  83159      6 [1.00],    0    0    0    0, traffic: 83165, 113 MB, drop: 0, 0 K
cpu6       0;      8    282    685 [1.00],    0    0    0    0, traffic: 967, 0 MB, drop: 0, 0 K
cpu7    5428; 269125 64214742 864080 [1.00],    0    0    0    0, traffic: 65078822, 8428 MB, drop: 0, 0 K
Export: Rate 16438 bytes/s; Total 83161 pkts, 111 MB, 2808281 flows; Errors 0 pkts; Traffic lost 0 pkts, 0 Kbytes, 0 flows.
sock0: 192.168.71.231:2052, sndbuf 16777216, filled 1, peak 17105; err: sndbuf reached 0, connect 0, cberr 0, other 0

But in nfsen only some flow have show public ip address.

2016-05-10 15:39:59.944 CREATE  Ignore TCP      172.17.82.135:57841 ->   203.145.115.xx:1935     43.2xx.47.2xx:57841 ->   203.145.115.xx:1935         0        0
2016-05-10 15:40:00.007 CREATE  Ignore TCP      172.17.82.135:57842 ->   203.145.115.xx:1935     43.2xx.47.2xx:57842 ->   203.145.115.xx:1935         0        0
2016-05-10 15:39:37.846 INVALID  Ignore TCP     203.145.115.xx:1935  ->    172.17.82.135:57810          0.0.0.0:0     ->          0.0.0.0:0          748        0
2016-05-10 15:39:37.842 INVALID  Ignore TCP      172.17.82.135:57810 ->   203.145.115.xx:1935           0.0.0.0:0     ->          0.0.0.0:0          830        0
2016-05-10 15:40:05.261 DELETE  Ignore TCP      172.17.82.135:57612 ->   203.145.115.xx:1935     43.2xx.47.2xx:57612 ->   203.145.115.xx:1935         0        0
2016-05-10 15:40:09.879 DELETE  Ignore TCP      172.17.82.135:57626 ->   203.145.115.xx:1935     43.2xx.47.2xx:57626 ->   203.145.115.xx:1935         0        0
2016-05-10 15:40:10.952 CREATE  Ignore TCP      172.17.82.135:57846 ->   203.145.115.xx:1935     43.2xx.47.2xx:57846 ->   203.145.115.xx:1935         0        0
2016-05-10 15:40:10.972 CREATE  Ignore TCP      172.17.82.135:57847 ->   203.145.115.xx:1935     43.2xx.47.2xx:57847 ->   203.145.115.xx:1935         0        0
2016-05-10 15:40:11.038 CREATE  Ignore TCP      172.17.82.135:57848 ->   203.145.115.xx:1935     43.2xx.47.2xx:57848 ->   203.145.115.xx:1935         0        0
2016-05-10 15:39:47.951 INVALID  Ignore TCP      172.17.82.135:57832 ->   203.145.115.xx:1935           0.0.0.0:0     ->          0.0.0.0:0          830        0
2016-05-10 15:39:48.863 INVALID  Ignore TCP     203.145.115.xx:1935  ->    172.17.82.135:57832          0.0.0.0:0     ->          0.0.0.0:0          748        0
2016-05-10 15:39:37.861 INVALID  Ignore TCP      172.17.82.135:57811 ->   203.145.115.xx:1935           0.0.0.0:0     ->          0.0.0.0:0         2810        0
2016-05-10 15:39:37.866 INVALID  Ignore TCP     203.145.115.xx:1935  ->    172.17.82.135:57811          0.0.0.0:0     ->          0.0.0.0:0        86535        0

Look Like not send out every thing ?

ABC - 2016-05-10

ipt-netflow sends everything, but what is shown by nfsen I don't know. You may verify with wireshark capture of netflow traffic and check if missed data is there.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Sonny - 2016-05-19
  
  I think i ask wrong qustion.
  
  I mean only Event CREATE / DELETE Will show nat ip address ,
  but If event is INVALID will not show nat ip address.
  
  nfdump filter: IP 172.17.80.249 AND SRC PORT 2279 Date first seen Event XEvent Proto Src IP Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port In Byte Out Byte 2016-05-18 20:49:58.664 CREATE Ignore TCP 172.17.80.249:2279 -> 111.111.111.111:80 43.xxx.47.231:2279 -> 111.111.111.111:80 0 0 2016-05-18 20:49:57.979 INVALID Ignore TCP 172.17.80.249:2279 -> 111.111.111.111:80 0.0.0.0:0 -> 0.0.0.0:0 104 0 2016-05-18 20:52:01.667 DELETE Ignore TCP 172.17.80.249:2279 -> 111.111.111.111:80 43.xxx.47.231:2279 -> 111.111.111.111:80 0 0
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

ABC - 2016-05-19

I don't know what is "INVALID" event. There is no such events in netflow/nel. I think this may be problem of nfsen or, likely, your interpretation of nfsel output. You can analyze raw netflow packets with wireshark. Also, note that NEL flows does not report traffic counters, but your 'invalid' line contains 'In Byte' vith value '104'.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

pingping - 2017-03-03

with ./configure --enable-natevents option, error message while compiling...

make -C /tmp/bering-uclibc/source/linux/linux-i686 M=/tmp/bering-uclibc/source/iptables/ipt-netflow-master modules CONFIG_DEBUG_INFO=y
make[2]: Entering directory /tmp/bering-uclibc/source/linux/linux-i686' make -C /tmp/bering-uclibc/source/linux/linux-2.6.35.14 O=/tmp/bering-uclibc/source/linux/linux-i686/. modules /tmp/bering-uclibc/source/linux/linux-2.6.35.14/arch/x86/Makefile:81: stack protector enabled but no compiler support CC [M] /tmp/bering-uclibc/source/iptables/ipt-netflow-master/ipt_NETFLOW.o /tmp/bering-uclibc/source/iptables/ipt-netflow-master/ipt_NETFLOW.c: In function 'register_ct_events': /tmp/bering-uclibc/source/iptables/ipt-netflow-master/ipt_NETFLOW.c:5309: error: implicit declaration of function 'ref_module' /tmp/bering-uclibc/source/iptables/ipt-netflow-master/ipt_NETFLOW.c: In function 'ipt_netflow_init': /tmp/bering-uclibc/source/iptables/ipt-netflow-master/ipt_NETFLOW.c:5429: warning: format '%lu' expects type 'long unsigned int', but argument 3 has type 'unsigned int' make[5]: *** [/tmp/bering-uclibc/source/iptables/ipt-netflow-master/ipt_NETFLOW.o] Error 1 make[4]: *** [_module_/tmp/bering-uclibc/source/iptables/ipt-netflow-master] Error 2 make[3]: *** [sub-make] Error 2 make[2]: *** [all] Error 2 make[2]: Leaving directory/tmp/bering-uclibc/source/linux/linux-i686'
make[1]: *** [ipt_NETFLOW.ko] Error 2
make[1]: Leaving directory /tmp/bering-uclibc/source/iptables/ipt-netflow-master' make: *** [ipt-netflow-master/.build] Error 1 make: Leaving directory/tmp/bering-uclibc/source/iptables'

without --enable-natevents option, it seems ok.

any ideas?

Last edit: pingping 2017-03-03

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

natevent is not working

NetFlow iptables module for Linux kernel

Group

Searches

Help

#77 natevent is not working

Discussion