{{indexmenu_n>6}}
======Working with NAT Flow. How to find a subscriber after NAT======
<note tip>The following components are required for this functionality to work: [[dpi:dpi_components:qoestor|QoE Stor Module]] и [[dpi:dpi_components:dpiui|SSG DPI control interface]].\\
Description for configuring NAT in QoE: [[dpi:dpi_components:qoestor:configuration:nat_flow]]</note>

=====Example of working with abuse letters=====

This tutorial is how to find the specific subscriber who is reported abuse.\\
The abuse email usually contains a global address from a NAT pool. We need to understand which of the subscribers went to the resource where the virus activity was detected at a known time behind this NAT-pool.\\
We need to perform **two steps** — find the necessary information in the abuse email and use it to identify the subscriber in the GUI of the Stingray.

====Step 1. Research the email====
  - The address from your NAT pool (source IP).
  - Address of the attacked resource (destination IP)
  - Activity time on the attacked resource //(considering the time zones!)//

  * **Example 1.** \\ {{dpi:opt_cgnat:cgnat_faq:email-ex-1.png?nolink&600|}}

  * ** Example 2.** \\ {{dpi:opt_cgnat:cgnat_faq:email-ex-2.png?nolink&600|}}

More can be found useful in the email:
  - Reason of abuse \\ {{dpi:opt_cgnat:cgnat_faq:email-abuse-type.png?nolink&600|}}
  - History of abuse (if the activity was repeated) \\ {{dpi:opt_cgnat:cgnat_faq:email-abuse-logs.png?nolink&600|}}

This can help you understand the scope of the problem and identify similar problems on your network.

====Step 2. Looking for subscriber activity in the GUI====
The task is to determine from the logs which subscriber behind the NAT-pool (source IP) specified in the letter was accessing the destination IP at that time.

Before you start the search it is worth checking two facts:
  - The NAT pool in question is set to CG-NAT in Stingray. \\ {{dpi:opt_cgnat:cgnat_faq:nat_pool.png?direct&600|}}
  - The NAT log storage time captures the time of activity. View and configure \\ {{dpi:opt_cgnat:cgnat_faq:nat_log_lifetime.png?direct&600|}}

Then in the GUI you need to open the section NAT flow, select a period, enter the source and destination IP. \\
  * {{dpi:opt_cgnat:cgnat_faq:nat_flow_src_dest_1.png?direct&600|}}

  * {{dpi:opt_cgnat:cgnat_faq:nat_flow_src_dest_2.png?direct&600|}}
<note>Perform the necessary actions with the found subscriber to prevent further abuse.</note>