Re: [Nfdump-discuss] ASA and post-NAT addresses

[Brian C. <b.c...@po...>]

On 21/11/2013 09:23, Peter Haag wrote:
> Hi Brian,
> It looks to me, as you did not enable nsel at compile time. You need to
> run at least ./configure --enable-nsel and make, make install
Ah yes, you're quite right. I had only done
./configure --enable-nfprofile --enable-nftrack
and didn't realise you had to --enable-nsel as well.

Rebuilt now, running with -Tnsel.
>
> Your already collected data should still be readable after nsel enabled.
It is. I get zeros for X-Src IP Addr:Port and X-Dest IP Addr (although 
strangely not X-Dest Port: I think this is a bug, see below)

Date first seen          Event  XEvent Proto      Src IP 
Addr:Port          Dst IP Addr:Port     X-Src IP Addr:Port X-Dst IP 
Addr:Port   In Byte Out Byte
2013-11-21 09:24:59.903 IGNORE  Ignore UDP 192.168.3.121:40528 
->          8.8.8.8:53 0.0.0.0:0     ->          0.0.0.0:53          
28        0

Corresponding output with -o raw:

Flow Record:
   Flags        =              0x06 FLOW, Unsampled
   export sysid =                 1
   size         =                56
   first        =        1385025899 [2013-11-21 09:24:59]
   last         =        1385025899 [2013-11-21 09:24:59]
   msec_first   =               903
   msec_last    =               903
   src addr     =     192.168.3.121
   dst addr     =           8.8.8.8
   src port     =             40528
   dst port     =                53
   fwd status   =                 0
   tcp flags    =              0x00 ......
   proto        =                17 UDP
   (src)tos     =                 0
   (in)packets  =                 0
   (in)bytes    =                28
   input        =                14
   output       =                 2

For the new records, I get:

Date first seen          Event  XEvent Proto      Src IP 
Addr:Port          Dst IP Addr:Port     X-Src IP Addr:Port X-Dst IP 
Addr:Port   In Byte Out Byte
2013-11-21 09:30:56.052 DELETE    2027 TCP 192.168.3.123:58914 ->    
YY.YYY.YY.100:80 XXX.XX.XX.4:58914 ->    YY.YYY.YY.100:80         
137      309

which looks much better.

Looking for a case of inbound destination port mapping:

2013-11-21 09:38:24.519 CREATE  Ignore TCP YY.YY.YY.166:64325 ->      
XXX.XX.XX.8:2222 YY.YY.YY.166:64325 ->    192.168.5.110:2222         
0        0

This is wrong. The translated destination port should be 22 but it is 
showing the untranslated port.

Here is the -o raw record:

Flow Record:
   Flags        =              0x46 EVENT, Unsampled
   export sysid =                 1
   size         =               132
   first        =        1385026704 [2013-11-21 09:38:24]
   last         =        1385026704 [2013-11-21 09:38:24]
   msec_first   =               519
   msec_last    =               519
   src addr     =      84.92.42.166
   dst addr     =       185.14.85.8
   src port     =             64325
   dst port     =              2222
   fwd status   =                 0
   tcp flags    =              0x00 ......
   proto        =                 6 TCP
   (src)tos     =                 0
   (in)packets  =                 0
   (in)bytes    =                 0
   connect ID   =          11316151
   fw event     =                 1: CREATE
   fw ext event =                 0
   flow start   =     1385026694490 [2013-11-21 09:38:14.490]
   src asa port =             64325
   dst asa port =                22
   src asa ip   =      84.92.42.166
   dst asa ip   =     192.168.5.110
   Ingress ACL  =       0x266a12c4/0x2669d584/0xd78b0ca
   Egress ACL   =       0x0/0x0/0x0
   User name    =           <empty>

So the correct data has been captured ("dst asa port"), it just isn't 
shown by nfdump in its normal output. The attached patch seems to do the 
job.
> Hope, this helps
It certainly does!

Thanks,

Brian.