Re: [Nfsen-discuss] How to do nat search

[Simon Mousey Smith]

Hi,

Well I have some good news :) 

not sure what happened but I recompiles the nfdump from git with the options as 
you suggested,

Left nfsen running over nite and came into the office this morning, checked 
nfsen and we now have more data which looks about right :D

2018-05-23 09:44:33.860 INVALID Ignore TCP 192.168.48.130:60842 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> 217.149.97.xxx:60842 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> 857945 0
2018-05-23 09:44:33.870 INVALID Ignore TCP 192.168.48.130:60833 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> 217.149.97.xxx:60833 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> 824639 0
2018-05-23 09:44:33.880 INVALID Ignore TCP 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 217.149.97.xxx:60842 
<http://217.28.20.148/nfsen/nfsen.php#null> 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 192.168.48.130:60842 
<http://217.28.20.148/nfsen/nfsen.php#null> 30.7 M 0
2018-05-23 09:44:33.890 INVALID Ignore TCP 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 217.149.97.xxx:60833 
<http://217.28.20.148/nfsen/nfsen.php#null> 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 192.168.48.130:60833 
<http://217.28.20.148/nfsen/nfsen.php#null> 28.6 M 0

Im guessing the 30M and 23M would be the download?

Regards

Simon



> On 22 May 2018, at 21:37, Brian Candler <b.cand...@pobox.com> wrote:
> 
> I have tested with nfdump from git head, built with "./configure 
> --enable-nfprofile --enable-nftrack --enable-nsel", and it all looks correct 
> to me (see example below). I don't get the "0.0.0.0" entries that you got.
> 
> Make sure you did "make install" and updated all the binaries, both nfdump 
> and nfcapd; you restarted nfcapd; and that you are using nfdump on files 
> which were created by nfcapd after it was recompiled.
> 
> You can ignore Event "INVALID" and XEvent "Ignore"; these are just ASA 
> security event types which aren't generated by the Mikrotik. (It might be 
> better for nfdump to display these as just a dash?)
> 
> HTH,
> 
> Brian.
> 
> 
> /ip traffic-flow
> set enabled=yes interfaces=vlan254,vlan255
> /ip traffic-flow target
> add dst-address=10.12.255.33 port=9995
> 
> 
> # nfcapd -E  -p 9995 -l /tmp/nfcap-test
> ...
> 
> Flow Record:
>   Flags        =              0x06 FLOW, Unsampled
>   label        =            <none>
>   export sysid =                 1
>   size         =                76
>   first        =        1527020841 [2018-05-22 20:27:21]
>   last         =        1527020843 [2018-05-22 20:27:23]
>   msec_first   =               510
>   msec_last    =               560
>   src addr     =     10.12.255.243
>   dst addr     =       147.28.0.62
>   src port     =             63175
>   dst port     =                80
>   fwd status   =                 0
>   tcp flags    =              0x02 ....S.
>   proto        =                 6 TCP
>   (src)tos     =                16
>   (in)packets  =                 4
>   (in)bytes    =               220
>   input        =                 9
>   output       =                17
>   src xlt port =             63175
>   dst xlt port =                80
>   src xlt ip   =      XX.XX.XX.XXX
>   dst xlt ip   =       147.28.0.62
> 
> 
> Flow Record:
>   Flags        =              0x06 FLOW, Unsampled
>   label        =            <none>
>   export sysid =                 1
>   size         =                76
>   first        =        1527020841 [2018-05-22 20:27:21]
>   last         =        1527020843 [2018-05-22 20:27:23]
>   msec_first   =               650
>   msec_last    =               710
>   src addr     =       147.28.0.62
>   dst addr     =      XX.XX.XX.XXX
>   src port     =                80
>   dst port     =             63175
>   fwd status   =                 0
>   tcp flags    =              0x12 .A..S.
>   proto        =                 6 TCP
>   (src)tos     =                 0
>   (in)packets  =                 4
>   (in)bytes    =               216
>   input        =                17
>   output       =                 9
>   src xlt port =                80
>   dst xlt port =             63175
>   src xlt ip   =       147.28.0.62
>   dst xlt ip   =     10.12.255.243
> 
> ...
> 
> # nfdump -r /tmp/nfcap-test/nfcapd.201805222026 'host 147.28.0.62'
> Date first seen          Event  XEvent Proto      Src IP Addr:Port          
> Dst IP Addr:Port     X-Src IP Addr:Port        X-Dst IP Addr:Port   In Byte 
> Out Byte
> 2018-05-22 20:27:21.510 INVALID  Ignore TCP 10.12.255.243:63175 ->      
> 147.28.0.62:80 XX.XX.XX.XXX:63175 ->      147.28.0.62:80         220 0
> 2018-05-22 20:27:21.650 INVALID  Ignore TCP 147.28.0.62:80    ->     
> XX.XX.XX.XXX:63175 147.28.0.62:80    ->    10.12.255.243:63175      216       
>  0
> Summary: total flows: 2, total bytes: 436, total packets: 8, avg bps: 1585, 
> avg pps: 3, avg bpp: 54
> Time window: 2018-05-22 20:26:21 - 2018-05-22 20:27:32
> Total flows processed: 100, Blocks skipped: 0, Bytes read: 7884
> Sys: 0.008s flows/second: 12500.0    Wall: 0.004s flows/second: 21372.1
> 
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss