Open mugugnu opened 3 years ago
saymonaraujo
commented
3 years ago Hello,
Should not be overwritten. The NAT/PAT overwrite the source IP address of the packet in the Layer3. The flow information its on the packet data as a exemple
In the field: Agent Address will be the IP of the SamplerAddress(At least shold be) if the GoFlow daemon parse the source-ip in the layer3 as the SamplerAddress this is a bug and must be fixed.
mugugnu
commented
3 years ago Hello, the screenshot you provided shows, as far as i understand, traffic from sFlow protocol. I'm actually using netflow v5. Is it possibile that they are actually different and netflow5 lacks the agent address field, so that goflow has no other options than using the layer3 source ip ?
The code in goflow, for netflow v5, seems to do this, but i might be wrong:
`func (s *StateNetFlow) DecodeFlow(msg interface{}) error {
pkt := msg.(BaseMessage)
buf := bytes.NewBuffer(pkt.Payload) key := pkt.Src.String()
samplerAddress := pkt.Src
if samplerAddress.To4() != nil {
samplerAddress = samplerAddress.To4()
}`
saymonaraujo
commented
3 years ago Sorry for this, I don't think Netflow has this field. But to be shure you will have to do a tcpdump and analyze the packet.
Hello, i'm investigating a little bit on this SamplerAddress attribute, as my concern is that it is getting overwritten when passing through a NAT. It is not read from the netflow payload but from the packet header, isn't it ? I can't find any reference of this attribute in the netflow protocol format...but it seems weird that it was not included...am i right or am i missing something ?