This is what I have tried so far - non-working patches!
What am I missing?
I can provide pcap data too if it's any help.
On Sat, Feb 8, 2014 at 11:42 PM, Jacob Lorensen <jacobloren...@gmail.com>wrote:
> Hi
>
> I need to capture NAT44 netflow packets from a Cisco CGN device. I have
> compile nfdump using
>
> ./configure --enable-readpcap --prefix=${HOME} --with-rrdpath=/usr
> --enable-devel --enable-nsel --enable-nel
>
> I am not getting external port numbers/ranges/step, instead when I run with
>
> /home/jablo/src/nfdump/bin/nfcapd -E -f /home/jablo/nfdumpanalysis/nf.pcap
> -Tnel,nsel -w -l /tmp/log/netflow -S 1 -p 9995 -x
> /usr/local/sbin/nfdump2json.sh /tmp/log/netflow/%f
>
> to get copious debug output I get
>
> Skip unknown element type: 361, Length: 2
> Skip unknown element type: 363, Length: 2
> Skip unknown element type: 364, Length: 2
>
> which corresponds nicely to the Cisco documented template values for
>
> Port block start
> Port block step size
> Number of ports in block
>
> respectively.
>
> I am looking into trying to add those fields to nfcapd. So far I have
> added #defines for those IDs in netflow_v9.h. I have added definitions for
> those fields in th table v9_element_map in netflow_v9.c.
>
> I may be dense, but I don't see how or where to add PushSequence(...)
> calls. And for that matter if what more I need to add in order to capture
> those fields.
>
> Any help or pointers would be appreciated.
>
> Thanks in advance,
> /Jacob
>
> See Table 2 in
>
> http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/iadnat-bpa.html
>
>
diff --git a/bin/netflow_v9.c b/bin/netflow_v9.c
index 4a84128..9351b84 100644
--- a/bin/netflow_v9.c
+++ b/bin/netflow_v9.c
@@ -314,6 +314,11 @@ static struct v9_element_map_s {
{ NF_F_XLATE_DST_ADDR_IPV6, "ASA V6 xdst addr", _16bytes,
_16bytes, move128, zero128, EX_NSEL_XLATE_IP_v6 },
{ NF_F_XLATE_SRC_PORT, "ASA xsrc port",
_2bytes, _2bytes, move16, zero16, EX_NSEL_XLATE_PORTS },
{ NF_F_XLATE_DST_PORT, "ASA xdst port",
_2bytes, _2bytes, move16, zero16, EX_NSEL_XLATE_PORTS },
+
+ { NF_F_XLATE_BPA_PORT_BLOCK_START, "ASA BPA block start", _2bytes,
_2bytes, move16, zero16, EX_NSEL_XLATE_PORTS },
+ { NF_F_XLATE_BPA_PORT_BLOCK_STEP, "ASA BPA block skip", _2bytes,
_2bytes, move16, zero16, EX_NSEL_XLATE_PORTS },
+ { NF_F_XLATE_BPA_PORT_BLOCK_SIZE, "ASA BPA block size", _2bytes,
_2bytes, move16, zero16, EX_NSEL_XLATE_PORTS },
+
// ASA 8.4 mapping
{ NF_F_XLATE_SRC_ADDR_84, "ASA V4 xsrc addr",
_4bytes, _4bytes, move32, zero32, EX_NSEL_XLATE_IP_v4 },
{ NF_F_XLATE_DST_ADDR_84, "ASA V4 xdst addr",
_4bytes, _4bytes, move32, zero32, EX_NSEL_XLATE_IP_v4 },
@@ -1001,6 +1006,10 @@ size_t size_required;
} else {
PushSequence( table,
NF_F_XLATE_SRC_PORT, &offset, NULL);
PushSequence( table,
NF_F_XLATE_DST_PORT, &offset, NULL);
+ PushSequence( table,
NF_F_XLATE_BPA_PORT_BLOCK_START, &offset, NULL);
+ PushSequence( table,
NF_F_XLATE_BPA_PORT_BLOCK_STEP, &offset, NULL);
+ PushSequence( table,
NF_F_XLATE_BPA_PORT_BLOCK_SIZE, &offset, NULL);
+ offset += 2;
}
break;
case EX_NSEL_XLATE_IP_v4:
diff --git a/bin/netflow_v9.h b/bin/netflow_v9.h
index a922979..ec4dcfb 100644
--- a/bin/netflow_v9.h
+++ b/bin/netflow_v9.h
@@ -271,6 +271,10 @@ typedef struct common_header_s {
#define NF_F_XLATE_DST_ADDR_IPV6 282
#define NF_F_FW_EVENT 233
+#define NF_F_XLATE_BPA_PORT_BLOCK_START 361
+#define NF_F_XLATE_BPA_PORT_BLOCK_STEP 363
+#define NF_F_XLATE_BPA_PORT_BLOCK_SIZE 364
+
// ASA 8.4 compat elements
#define NF_F_XLATE_SRC_ADDR_84 40001
#define NF_F_XLATE_DST_ADDR_84 40002
diff --git a/bin/nf_common.c b/bin/nf_common.c
index fae559e..793bd64 100644
--- a/bin/nf_common.c
+++ b/bin/nf_common.c
@@ -1093,7 +1093,11 @@ extension_map_t *extension_map = r->map_ref;
snprintf(_s, slen-1,
" src xlt port = %5u\n"
" dst xlt port = %5u\n"
-, r->xlate_src_port, r->xlate_dst_port );
+" dst bpa start= %5u\n"
+" dst bpa skip = %5u\n"
+" dst bpa size = %5u\n"
+, r->xlate_src_port, r->xlate_dst_port
+, r->xlate_bpa_start, r->xlate_bpa_skip, r->xlate_bpa_size );
_slen = strlen(data_string);
_s = data_string + _slen;
slen = STRINGSIZE - _slen;
diff --git a/bin/nffile.h b/bin/nffile.h
index 17016b8..463762a 100644
--- a/bin/nffile.h
+++ b/bin/nffile.h
@@ -967,6 +967,10 @@ typedef struct tpl_ext_37_s {
typedef struct tpl_ext_38_s {
uint16_t xlate_src_port;
uint16_t xlate_dst_port;
+ uint16_t xlate_bpa_start;
+ uint16_t xlate_bpa_skip;
+ uint16_t xlate_bpa_size;
+ uint16_t fill;
uint8_t data[4]; // points to further data
} tpl_ext_38_t;
@@ -1835,6 +1839,10 @@ typedef struct master_record_s {
# define OffsetXLATEPort NSEL_BASE_OFFSET+2
uint16_t xlate_src_port; // index OffsetXLATEPort
0xffff'0000'0000'0000
uint16_t xlate_dst_port; // index OffsetXLATEPort
0x0000'ffff'0000'0000
+ uint16_t xlate_bpa_start;
+ uint16_t xlate_bpa_skip;
+ uint16_t xlate_bpa_size;
+ uint16_t xlate_bpa_fill;
uint32_t xlate_flags;
# define OffsetXLATESRCIP NSEL_BASE_OFFSET+3
ip_addr_t xlate_src_ip; // ipv4 OffsetXLATESRCIP +1
0x0000'0000'ffff'ffff
diff --git a/bin/nffile_inline.c b/bin/nffile_inline.c
index 6b6ea2d..2c02c59 100755
--- a/bin/nffile_inline.c
+++ b/bin/nffile_inline.c
@@ -361,6 +361,9 @@ void *p = (void *)input_record;
tpl_ext_38_t *tpl = (tpl_ext_38_t *)p;
output_record->xlate_src_port =
tpl->xlate_src_port;
output_record->xlate_dst_port =
tpl->xlate_dst_port;
+ output_record->xlate_bpa_start =
tpl->xlate_bpa_start;
+ output_record->xlate_bpa_skip =
tpl->xlate_bpa_skip;
+ output_record->xlate_bpa_size =
tpl->xlate_bpa_size;
p = (void *)tpl->data;
} break;
case EX_NSEL_XLATE_IP_v4: {
@@ -692,6 +695,9 @@ int i;
tpl_ext_38_t *tpl = (tpl_ext_38_t *)p;
tpl->xlate_src_port =
master_record->xlate_src_port;
tpl->xlate_dst_port =
master_record->xlate_dst_port;
+ tpl->xlate_bpa_start =
master_record->xlate_bpa_start;
+ tpl->xlate_bpa_skip =
master_record->xlate_bpa_skip;
+ tpl->xlate_bpa_size =
master_record->xlate_bpa_size;
p = (void *)tpl->data;
} break;
case EX_NSEL_XLATE_IP_v4: {
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
