From owner-freebsd-net@FreeBSD.ORG Wed Oct 30 10:40:53 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id D8A1D2B7 for ; Wed, 30 Oct 2013 10:40:53 +0000 (UTC) (envelope-from dyr@smartspb.net) Received: from quix.smartspb.net (quix.smartspb.net [217.119.16.133]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 967EA25A7 for ; Wed, 30 Oct 2013 10:40:53 +0000 (UTC) Received: from dyr.smartspb.net ([217.119.16.26] helo=[127.0.0.1]) by quix.smartspb.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.61 (FreeBSD)) (envelope-from ) id 1VbTCk-000I97-Ub for freebsd-net@freebsd.org; Wed, 30 Oct 2013 14:40:51 +0400 Message-ID: <5270E22C.1060408@smartspb.net> Date: Wed, 30 Oct 2013 14:40:44 +0400 From: Dennis Yusupoff User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: [Feature Request] (ng_)netflow additional X-Enigmail-Version: 1.6 X-Antivirus: avast! (VPS 131029-1, 30.10.2013), Outbound message X-Antivirus-Status: Clean Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Oct 2013 10:40:53 -0000 Good day everyone. To be brief: 1. It would be really usefull for CGNAT providers have ability to record customers IPs in traffic before and after NAT, as it already has done in ipt_NETFLOW under Linux or in the Cisco ASA series. === begin of cut https://github.com/aabc/ipt-netflow/blob/master/README === natevents=1 - Collect and send NAT translation events as NetFlow Event Logging (NEL) for NetFlow v9/IPFIX, or as dummy flows compatible with NetFlow v5. Default is 0 (don't send). For NetFlow v5 protocol meaning of fields in dummy flows is such: Src IP, Src Port is Pre-nat source address. Dst IP, Dst Port is Post-nat destination address. - These two fields made equal to data flows catched in FORWARD chain. Nexthop, Src AS is Post-nat source address for SNAT. Or, Nexthop, Dst AS is Pre-nat destination address for DNAT. TCP Flags is SYN+SCK for start event, RST+FIN for stop event. Pkt/Traffic size is 0 (zero), so it won't interfere with accounting. === end of cut === 2. Is it possible to specify by user some field in Netflow v9, for example /IF_DESC/ or /APPLICATION DESCRIPTION/, according to http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9_ps6601_Products_White_Paper.html? If no, it would be really nice to see. Using example: customers requested other ip on a interface, where we collect netflow traffic so when we should to give traffic report we haven't any *unique* identifier in netflow flows, which can be helpful. It's a real pity. Thank you for your consideration! -- Best regards, Dennis Yusupoff, network engineer of Smart-Telecom ISP Russia, Saint-Petersburg