how to log the nat state by the tcpdump ?

[guojiangli]

I have three IPs on the WAN interface (192.168.1.10, 192.168.1.11, 192.168.1.12), LAN (192.168.10.1) user (192.168.10.2 ~ 192.168.10.254) will be nated by WAN three IPs, how to log the nat connection state to pflog0, the format like pfctl -ss ?

# pfctl -ss
all udp 192.168.10.12:29919 -> 192.168.1.13:50106 -> 58.60.9.124:9910       MULTIPLE:MULTIPLE
all udp 113.109.164.226:29919 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.11:64067 -> 113.109.164.226:29919       SINGLE:NO_TRAFFIC
all udp 119.101.106.11:29919 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.12:59317 -> 119.101.106.11:29919       SINGLE:NO_TRAFFIC
all udp 125.73.72.155:29919 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.13:56875 -> 125.73.72.155:29919       SINGLE:NO_TRAFFIC
all udp 219.237.146.144:30179 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.10:56640 -> 219.237.146.144:30179       SINGLE:NO_TRAFFIC
all udp 119.96.19.121:29919 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.11:50983 -> 119.96.19.121:29919       SINGLE:NO_TRAFFIC
all udp 123.149.128.235:30277 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.12:63786 -> 123.149.128.235:30277       SINGLE:NO_TRAFFIC
all udp 111.226.0.100:30036 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.13:54929 -> 111.226.0.100:30036       SINGLE:NO_TRAFFIC
all udp 222.87.179.23:29919 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.10:56586 -> 222.87.179.23:29919       SINGLE:NO_TRAFFIC
all udp 116.1.157.236:30159 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.11:56335 -> 116.1.157.236:30159       SINGLE:NO_TRAFFIC
all udp 222.202.96.147:8000 <- 192.168.10.12:29919       SINGLE:MULTIPLE
all udp 192.168.10.12:29919 -> 192.168.1.12:51670 -> 222.202.96.147:8000       MULTIPLE:SINGLE
all udp 222.41.242.247:29919 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.13:56056 -> 222.41.242.247:29919       SINGLE:NO_TRAFFIC
all udp 222.220.166.196:30242 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.10:65514 -> 222.220.166.196:30242       SINGLE:NO_TRAFFIC
all udp 122.239.2.156:30563 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.11:63826 -> 122.239.2.156:30563       SINGLE:NO_TRAFFIC
all udp 118.118.248.13:30311 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.12:55583 -> 118.118.248.13:30311       SINGLE:NO_TRAFFIC
all udp 58.39.1.4:30450 <- 192.168.10.12:29919       NO_TRAFFIC:SINGLE
all udp 192.168.10.12:29919 -> 192.168.1.13:55675 -> 58.39.1.4:30450       SINGLE:NO_TRAFFIC

When I use the rule

nat pass log (all) on le0 inet from 192.168.10.0/24 to any -> { 192.168.1.10, 192.168.1.12, 192.168.1.13 } round-robin

#/usr/sbin/tcpdump -s 1024 -v -l -n -e -ttt -i pflog0
000000 rule 5/0(match): nat out on le0: (tos 0x0, ttl 127, id 28785, offset 0, flags [DF], proto TCP (6), length 40) 192.168.1.10.61357 > 
218.60.11.231.80: ., cksum 0xd165 (correct), ack 2381509614 win 65535
003117 rule 5/0(match): nat in on le0: (tos 0x0, ttl 117, id 34107, offset 0, flags [none], proto UDP (17), length 1078) 221.198.170.50.29909 
> 192.168.10.12.29909: UDP, length 1050
001395 rule 5/0(match): nat in on le0: (tos 0x0, ttl 54, id 10366, offset 0, flags [none], proto UDP (17), length 1078) 222.140.175.137.29909 
> 192.168.10.12.29909: UDP, length 1050
000372 rule 5/0(match): nat in on le0: (tos 0x0, ttl 118, id 10037, offset 0, flags [none], proto UDP (17), length 1078) 113.194.163.230.29909 
> 192.168.10.12.29909: UDP, length 1050
000389 rule 5/0(match): nat out on le0: (tos 0x0, ttl 127, id 2127, offset 0, flags [none], proto UDP (17), length 49) 192.168.1.13.59641 > 
222.140.175.137.29909: UDP, length 21
001184 rule 5/0(match): nat out on le0: (tos 0x0, ttl 127, id 12644, offset 0, flags [none], proto UDP (17), length 49) 192.168.1.10.64363 > 
113.194.163.230.29909: UDP, length 21
000075 rule 5/0(match): nat out on le0: (tos 0x0, ttl 127, id 22333, offset 0, flags [none], proto UDP (17), length 49) 192.168.1.10.64363 > 
113.194.163.230.29909: UDP, length 21
000007 rule 5/0(match): nat out on le0: (tos 0x0, ttl 127, id 6176, offset 0, flags [none], proto UDP (17), length 49) 192.168.1.10.64363 > 
113.194.163.230.29909: UDP, length 21
000008 rule 5/0(match): nat out on le0: (tos 0x0, ttl 127, id 30284, offset 0, flags [none], proto UDP (17), length 49) 192.168.1.12.56015 > 
220.248.190.9.20754: UDP, length 21
000004 rule 5/0(match): nat out on le0: (tos 0x0, ttl 127, id 34565, offset 0, flags [none], proto UDP (17), length 49) 192.168.1.13.52422 > 
121.26.54.44.29909: UDP, length 21
000003 rule 5/0(match): nat out on le0: (tos 0x0, ttl 127, id 40007, offset 0, flags [none], proto UDP (17), length 49) 192.168.1.12.58729 > 
118.78.144.18.1029: UDP, length 21
000001 rule 5/0(match): nat out on le0: (tos 0x0, ttl 127, id 58885, offset 0, flags [none], proto UDP (17), length 49) 192.168.1.13.55502 > 
221.198.170.50.29909: UDP, length 21
000001 rule 5/0(match): nat out on le0: (tos 0x0, ttl 127, id 7701, offset 0, flags [none], proto UDP (17), length 49) 192.168.1.13.59641 > 
222.140.175.137.29909: UDP, length 21

I want the pfctl -ss output result, how to do it ?