Hello
I hope that this is relavent, if I've miss-posted appolgies.
We have a cisco ASR 1002 router which is to be used to perform NAT,
in the old days, when we used 7206 etc, syslog was the preferred method for
getting the
translations shipped off the box and onto some logging disk, from what we can
gather syslogging the
NAT translation activity will very quickly overwhelm an ASR and the cisco
recommended
method of exporting the NAT activity is to use v9 netflow ( eg )
ip nat log translations flow-export v9 udp destination 10.10.10.10 19999
source Loopback0
The issue we now face is that this generates a netflow frame with
slightly different template from the norm ( called NEL and different from the
format that an ASA or derivative would generate )
I attach what I could find in the cisco limited documenation on this
templateId=259: id=259, fields=11
field id=8 (ipv4 source address), offset=0, len=4
field id=225 (natInsideGlobalAddress), offset=4, len=4
field id=12 (ipv4 destination address), offset=8, len=4
field id=226 (natOutsideGlobalAddress), offset=12, len=4
field id=7 (transport source-port), offset=16, len=2
field id=227 (postNAPTSourceTransportPort), offset=18, len=2
field id=11 (transport destination-port), offset=20, len=2
field id=228 (postNAPTDestinationTransportPort), offset=22, len=2
field id=234 (ingressVRFID), offset=24, len=4
field id=4 (ip protocol), offset=28, len=1
field id=230 (natEvent), offset=29, len=1
if I start up nfacctd -l 19999 -P print -d
I can see that the frames are arriving
DEBUG ( default/core ): NfV9 agent : 10.1.1.1:200
DEBUG ( default/core ): NfV9 template type : flow
DEBUG ( default/core ): NfV9 template ID : 259
DEBUG ( default/core ): -----------------------------------------------------
DEBUG ( default/core ): | pen | field type | offset | size |
DEBUG ( default/core ): | 0 | 283 | 0 | 4 |
DEBUG ( default/core ): | 0 | 230 | 4 | 1 |
DEBUG ( default/core ): -----------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 5
DEBUG ( default/core ):
DEBUG ( default/core ): NfV9 agent : 10.1.1.1:200
DEBUG ( default/core ): NfV9 template type : flow
DEBUG ( default/core ): NfV9 template ID : 258
DEBUG ( default/core ): -----------------------------------------------------
DEBUG ( default/core ): | pen | field type | offset | size |
DEBUG ( default/core ): | 0 | IPv4 Src addr | 0 | 4 |
DEBUG ( default/core ): | 0 | 225 | 4 | 4 |
DEBUG ( default/core ): | 0 | IPv4 dst addr | 8 | 4 |
DEBUG ( default/core ): | 0 | 226 | 12 | 4 |
DEBUG ( default/core ): | 0 | L4 src port | 16 | 2 |
DEBUG ( default/core ): | 0 | 227 | 18 | 2 |
DEBUG ( default/core ): | 0 | L4 dst port | 20 | 2 |
DEBUG ( default/core ): | 0 | 228 | 22 | 2 |
DEBUG ( default/core ): | 0 | 234 | 24 | 4 |
DEBUG ( default/core ): | 0 | L4 protocol | 28 | 1 |
DEBUG ( default/core ): | 0 | 230 | 29 | 1 |
DEBUG ( default/core ): -----------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 30
My question is how do i get pmacct/nfacctd to understand this template
I can see bits of the template definition and field definitions in nfacctd.h
do i have to add this in there or is there a way of setting up an external
definition by adding expessions to the config files.
( i should add that my C is very rusty but I am happy to give this is try )
I have looked through the documentation that I could find, and may, ( no !,
will ) have missed
alot, any pointers on the right way to proceed will be greatfully received.
or if anybodyelse has tryed to use pmacct to record NAT activity and
would car to share how that would be great
Many thanks in advance
--
The University of Glasgow, charity number SC004401
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
