Hello,
I’ve trying to set a NAT logging system up to comply with local regulation (copyright infringement and so on) in a RouterOS 6.48 environment.
I’m completely new to NetFlow/IPFIX world.
I intend (but I’m not 100% sure yet) to save NAT translation details and leave out outbound flows destination addresses and ports.
My lab setup includes:
- an hex PoE with 6.48 connected to a LAN
- a Debian Bullseye host acting as a NetFlow/IPFIX collector
- a laptop connected to the hex PoE
WebFig allow NAT events inclusion. It seems NAT Events in IPFIX are covered by RFC8158.
-
Do you know if package nfdump can process such NAT Events (looking at [1], it seems it cannot) ?
-
I tried pmacct with the command bellow. This command prints on stdout lines such as bellow.
As you may see, timestamp values (start and end) are identical.
Where does it come ? From my RouterOS device or from nfacctd ?
SRC_IP SRC_PORT PROTOCOL POST_NAT_SRC_IP POST_NAT_SRC_PORT NAT_EVENT TIMESTAMP_START TIMESTAMP_END PACKETS BYTES
192.168.33.44 57088 tcp 192.168.64.70 57088 0 2022-03-09 17:40:45.000000 2022-03-09 17:40:45.000000 14 2750
[1] https://github.com/phaag/nfdump/pull/102
Best regards