I have a GNU/Linux system on which I'm extracting the flow-tuple (src and dst IP, src and dst port, and protocol) with download and upload bytes using the nf_conntrack.
How can I extract the post-NAT source IP?
I'm using libnetfilter_conntrack right now.
The post NAT address was shown in the reply tuple as the destination address. This can be used to extract the post-nat IP.
struct nf_conntrack *ct;
ct->repl.dst.v4