OK, I thought this was a pretty cool idea.
I did this with a lab setup, and Im pretty sure it could cause performance impacts, and void you warranty, and potentially bring about the end of the know universe.
Here is what I did:
Downloaded fprobe from: http://fprobe.sourceforge.net/
I compiled fprobe on a development box and copied the ./src/fprobe file to my webgateway v7.3 box.
I then started fprobe on the webgateway:
./fprobe -i INTERFACE_TO_MONITOR IP_OF_COLLECTOR:9995
Low and behold it started sending netflow.
Im sure there are a lot of other thnigs that can be done such as using fprobe-ulog, configuring fprobe to do multiple interfaces, other formats, etc, but I figure this may get teh ball rolling any other people can throw out ideas as well.
I started to do the same thing, but got sidetracked and never finished. So kudos, Nick, on getting further.
But as i thought about it, wouldn't the actual data that you are capturing only represent one flow from the client to the proxy, and another flow from the proxy to the site?
I suspect John is trying to get the end-to-end relationship between client IP and web server IP. I'm not so sure that will happen, even in transparent bridge.
i don't know what raw netflow data looks like, so i am speculating.
I think you are right. I have been contemplating this since reading the OP. I cant see any solution where you can get a Netflow V9 type packet where you know what the NAT translation is. I am not running a transparent proxy so I dont know how the host is configured in that scenario, but using an explicit proxy I assume the mwg process does the translation from interfaces and does not depend on iptables for the routing. So in my scenario I am not giving anything more then what you would get from the nearest switch.