I'm trying to analyze traffic crossing an Internet exposed box (F5 Big-IP with sFlow support). There are two interfaces (to simplify it) - outside with public IP and internal with private IP address. I'd like to monitor both upstream (toward Internet) and downstream (from Internet) traffic with original IP addresses retained which appears to be problem for downstream traffic where I see destination public IP instead of private IP of the real destination.
The solution would be to filter only flows from internal interface, but sFlow sensor seems to process only ingress flows and I end up with one-directional (upstream traffic) analysis only. There are definitively data describing both ingress and egress flows sent from Big-IP box to sensor - I can see them using different tool (sFlowTrend).
Any idea is appreciated :)