Re: [Nfsen-discuss] How to do nat search

Wed, 23 May 2018 02:51:47 -0700 

On 23/05/2018 09:59, Simon Mousey Smith wrote:
Left nfsen running over nite and came into the office this morning, checked nfsen and we now have more data which looks about right :D 


2018-05-23 09:44:33.860 INVALID Ignore TCP 192.168.48.130:60842 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> 217.149.97.xxx:60842 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> 857945 0
2018-05-23 09:44:33.870 INVALID Ignore TCP 192.168.48.130:60833 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> 217.149.97.xxx:60833 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> 824639 0
2018-05-23 09:44:33.880 INVALID Ignore TCP 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 217.149.97.xxx:60842 
<http://217.28.20.148/nfsen/nfsen.php#null> 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 192.168.48.130:60842 
<http://217.28.20.148/nfsen/nfsen.php#null> 30.7 M 0
2018-05-23 09:44:33.890 INVALID Ignore TCP 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 217.149.97.xxx:60833 
<http://217.28.20.148/nfsen/nfsen.php#null> 37.77.186.142:443 
<http://217.28.20.148/nfsen/nfsen.php#null> -> 192.168.48.130:60833 
<http://217.28.20.148/nfsen/nfsen.php#null> 28.6 M 0


Im guessing the 30M and 23M would be the download?


Yes exactly:


- 192.168.48.130 [ephemeral port] established TCP connection to 
37.77.186.142 port 443 [HTTPS]



- the corresponding return traffic is the flow from 37.77.186.142 port 
443 to 192.168.48.130 [ephemeral port]



- on the return flow, the two figures (30.7M and 0) are "in byte" and 
"out byte" respectively, but since these are unidirectional flows the 
"in byte" value means the number of bytes from Source to Destination and 
the "out byte" field is not used. [^1]



It's worth testing with a few "wget"s of files of know size, just to get 
some confidence in the counts.



The default NSEL view doesn't show the number of packets in each flow.  
With "-o line" (which is the default format without NSEL) you do get the 
packet counts, but not the translated return address:


# nfdump -r /tmp/nfcap-test/nfcapd.201805222026 -o line 'host 147.28.0.62'

Date first seen          Duration Proto      Src IP Addr:Port          
Dst IP Addr:Port   Packets    Bytes Flows
2018-05-22 20:27:21.510     2.050 TCP 10.12.255.243:63175 ->      
147.28.0.62:80           4 220     1
2018-05-22 20:27:21.650     2.060 TCP 147.28.0.62:80    ->     
XX.XX.XX.XXX:63175        4 216     1



You can improve this using a custom format (admittedly a bit tedious to 
provide every time):



# nfdump -r /tmp/nfcap-test/nfcapd.201805222026 -o 'fmt:%ts %td %pr %sap 
-> %dap %xsap -> %xdap %pkt %byt %fl' 'host 147.28.0.62'
Date first seen          Duration Proto      Src IP Addr:Port          
Dst IP Addr:Port     X-Src IP Addr:Port X-Dst IP Addr:Port   Packets    
Bytes Flows
2018-05-22 20:27:21.510     2.050 TCP 10.12.255.243:63175 ->      
147.28.0.62:80        XX.XX.XX.XXX:63175 ->      
147.28.0.62:80           4      220     1
2018-05-22 20:27:21.650     2.060 TCP 147.28.0.62:80    ->     
XX.XX.XX.XXX:63175 147.28.0.62:80    ->    10.12.255.243:63175        4 
216     1



It would be nice if there were an "-o xline", which is like -o line but 
includes the translated addresses.



Incidentally: the flows shown were an empty telnet session to port 80.  
So I think the 216/220 total byte counts in each direction must be 
including all the IP and TCP headers (IP header = 20 bytes; TCP header = 
20 to 28 bytes depending on whether the timestamp option is being used)


Cheers,

Brian.


[^1] For a more detailed discussion of "in" versus "out" see 
https://github.com/phaag/nfdump/issues/31.  I don't think you'll be able 
to get nfdump to synthesise bi-directional flows from these 
unidirectional ones, because of the address translation.  It's not big 
deal though; except when working with ASA, I just use unidirectional 
flows anyway.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss






















					Reply via email to