Hi
Thanks for the help and im partly the way there now!
I re-read the ./configure in nfdump and used —enable-nsel and now its showing
me more info!
Not quiet there but close enough!
Date first seen Event XEvent Proto Src IP Addr:Port Dst IP Addr:Port X-Src IP
Addr:Port X-Dst IP Addr:Port In Byte Out Byte
2018-05-22 07:59:43.260 INVALID Ignore TCP 192.168.68.15:56509
<http://217.28.20.148/nfsen/nfsen.php#null> -> 199.16.156.52:443
<http://217.28.20.148/nfsen/nfsen.php#null> 0.0.0.0:0
<http://217.28.20.148/nfsen/nfsen.php#null> -> 0.0.0.0:0
<http://217.28.20.148/nfsen/nfsen.php#null> 41 0
2018-05-22 07:59:43.390 INVALID Ignore TCP 199.16.156.52:443
<http://217.28.20.148/nfsen/nfsen.php#null> -> 217.149.97.6:56509
<http://217.28.20.148/nfsen/nfsen.php#null> 0.0.0.0:0
<http://217.28.20.148/nfsen/nfsen.php#null> -> 0.0.0.0:0
<http://217.28.20.148/nfsen/nfsen.php#null> 52 0
And with bio-directional ticked I get
2018-05-22 07:59:43.260 223.180 TCP 192.168.68.15:56509
<http://217.28.20.148/nfsen/nfsen.php#null> <-> 199.16.156.52:443
<http://217.28.20.148/nfsen/nfsen.php#null> 0 8 0 325 6
So its close but not quiet there yet!
Regards
Simon
> On 22 May 2018, at 10:52, Naim Sh. <shaf...@gmail.com> wrote:
>
> Sorry i had a mistyping .
> you need this
>
> NSEL/ASA, NEL/NAT support
>
> NSEL (* Network Event Security Logging ) as well as NEL ( NAT Event Logging
> *) are technologies
> invented by CISCO and also use the netflow v9 protocol. However, NSEL and NEL
> are not flows as
> commonly known but rather Events! exported from specific devices such as
> CISCO ASA. nfdump supports
> Event looging as part of netflow v9.
>
> Note: The older nfdump-1.5.8-2-NSEL is not compatible with nfdump > 1.6.9
> which supports NSEL/NEL.
>
> As far as i know you can do this in nfsen too .
> On Tue, 2018-05-22 at 10:45 +0100, Simon Mousey Smith wrote:
>> Hi,
>>
>> This isnt really very helpful as it doesnt help my issue?
>>
>> A simple google results NO results ?
>>
>> Any documentation I can follow?
>>
>> Regards
>>
>> Simon
>>
>>
>>> On 22 May 2018, at 08:52, Naim Sh. <shaf...@gmail.com> wrote:
>>>
>>> Anyway please read about NAT XSEL .
>>> On Mon, 2018-05-21 at 15:03 +0100, Simon Mousey Smith wrote:
>>>> Hi All
>>>>
>>>> Im trying to figure out how to use NFSen for NAT purposes
>>>>
>>>> Brief explain, how do I work out what I client used in download?
>>>>
>>>> A sample output I have is below:
>>>>
>>>> 2018-05-21 08:31:15.920 129.050 TCP 192.168.68.15:54355 ->
>>>> 51.179.201.80:443 1720 122920 1
>>>> 2018-05-21 08:31:15.930 129.050 TCP 51.179.201.80:443 ->
>>>> 217.149.97.xxx:54355 3173 4.4 M 1
>>>>
>>>> But I cant simply do in the filter ( ip 192.168.68.15 ) because that would
>>>> only show the
>>>> first
>>>> line which is the clients UPLOAD in bytes and not there DOWNLOAD in bytes?
>>>>
>>>> Ive tried bi-directional BUT that simply shows me:
>>>>
>>>> 2018-05-21 08:31:15.920 199.550 TCP 192.168.68.15:54355 <->
>>>> 51.179.201.80:443 0 1724 0 123081
>>>> 3
>>>>
>>>> The sample command thats used shown by nfsen is:
>>>>
>>>> ** nfdump -M /data/nfsen/profiles-data/live/fth -T -R
>>>> 2018/05/21/nfcapd.201805210825:2018/05/21/nfcapd.201805211130 -m -c 10000
>>>> nfdump filter:
>>>> Any
>>>>
>>>>
>>>> Am I just simply doing something wrong?
>>>>
>>>> Regards
>>>>
>>>> Simon
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Nfsen-discuss mailing list
>>>> Nfsen-discuss@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>
>>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
