nfdump icon indicating copy to clipboard operation
nfdump copied to clipboard
verified publisher icon phaag

Nfcapd forwards to second collector but we lose exporter IP info

Open luminous706 opened this issue 5 years ago • 7 comments

All of my exporters are sending to nfcapd, and nfcapd forwards to a second collector (ManageEngine). I like this because nfcapd offers a lot of flexibility over our commercial collector.

The major problem now is that I cannot sort the flows by exporter IP as ManageEngine thinks all flows come from nfcapd.

Is there a way to make nfcapd spoof the IP of the exporters somehow?

I know there is a field that netflow proxies use sometimes called "exporterIPv4Address". When using the -R option, could this field be added to the forwarded records?

Thanks!

luminous706 avatar Sep 28 '20 04:09 luminous706

nfcapd does not modify the packet content. Therefore it does not add exporterIPv4Address into the stream. One option may be spoofing the sending IP, pretending the packet comes from the original source. This would imply to run nfcpad as root or priv-sep two processes. Furthermore spoofing may trigger all sort of network monitoring systems. If this is all fine with you I can think about a possible implementation.

phaag avatar Oct 01 '20 08:10 phaag

Hello,

Triggering monitoring systems is not an issue for us, the forwarding will be done on a LAN. It would be great if you could provide a few directions to set this up!

We are using something similar for our log collection. Everything goes into rSyslog, then rSyslog forwards to a SIEM. The SIEM was seeing everything coming from rSyslog instead of the original devices, which is not perfect because some devices don't put their names properly in the log messages. rSyslog has a UDP spoof module, easy to load and use. Maybe this is something that could also be implemented permanently in Nfcapd in the future, if you have the time of course : )

Thanks a lot for the help!

luminous706 avatar Oct 02 '20 02:10 luminous706

Hello, just wondering if you were able to think about a way to achieve this? Just wanted a quick friendly update : )

Thank you!

luminous706 avatar Nov 08 '20 17:11 luminous706

Sorry for being late - Need more time. If you need a quick fix, check for samplicator for now

phaag avatar Nov 15 '20 11:11 phaag

  • I would like such a feature in nfreplay.

ale91x avatar Dec 15 '20 13:12 ale91x

Hello, do you know if this feature will come at any point? I need to use Samplicator to repeat the flows to an external collector, I would rather use Nfcapd instead.

luminous706 avatar Sep 28 '22 13:09 luminous706

Yes - it is still on the todo list.

phaag avatar Sep 28 '22 15:09 phaag

The master repo is updated with IP spoofing for the packet repeater. It's enabled with option -A. See nfcapd(1) Please check and report back.

phaag avatar Jan 03 '23 17:01 phaag

Issue closed. Feel free to reopen, if you run into problems.

phaag avatar Jan 15 '23 15:01 phaag

The master repo is updated with IP spoofing for the packet repeater. It's enabled with option -A. See nfcapd(1) Please check and report back.

Hello, thank you very much for this feature, I will try it very soon!

luminous706 avatar Jan 19 '23 00:01 luminous706