For data analisys on NAT flows on external systems IPFIX export is available (aka netflow v10).

Settings of NAT flows export:

ipfix_dev=em1
ipfix_nat_udp_collectors=1.2.3.4:1500,1.2.3.5:1501
ipfix_nat_tcp_collectors=1.2.3.6:9418

here

• em1 - network device name for export
• ipfix_nat_udp_collectors - addresses of udp collectors
• ipfix_nat_tcp_collectors - addresses of tcp collectors

To collect information in IPFIX any universal collector can be used or IPFIX Receiver utility.

Also NAT information is transmited in fields postNATsourceIPv4Address and postNAPTsourceTransportPort in IPFIX export full Netflow

Settings for NAT flow export in text file on Stingray Service Gateway DPI server are in the configuration file /etc/dpi/fastdpi.conf:

ajb_save_nat=1
ajb_save_nat_format=ts:ssid:event:login:proto:ipsrc:portsrc:ipsrcpostnat:portsrcpostnat:ipdst:portdst
ajb_nat_path=/var/dump/dpi
ajb_nat_ftimeout=30

here

• ajb_save_nat=1 activate export NAT flows in text file
• ajb_nat_path=/var/dump/dpi directory for files with NAT flows (default /var/dump/dpi)
• ajb_nat_ftimeout=30 time period of records
• ajb_save_nat_format=ts:ssid:event:login:proto:ipsrc:portsrc:ipsrcpostnat:portsrcpostnat:ipdst:portdst list and order of recorder fields, here
  • ts - timestamp
  • ssid - session id (for link with Netflow/IPFIX by volume)
  • event - event : 1 - NAT44 Session create, 2 - NAT44 Session delete
  • login - subscriber login
  • ipsrc - IP address of request source (subscriber)
  • portsrc - port of request source (subscriber)
  • ipsrcpostnat - IP address of request source (subscriber) after NAT translation
  • portsrcpostnat - port of request source (subscriber) after NAT translation
  • ipdst - destination IP address (host)
  • portdst - destination port (host).

file system for writing logs must be fast and local (no NFS and other remotes), this type of journaling is recommended only for short-term diagnostics