Codebase list nfdump / upstream/1.5.7 nfcapd.1
upstream/1.5.7

Tree @upstream/1.5.7 (Download .tar.gz)

nfcapd.1 @upstream/1.5.7raw · history · blame 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
.TH nfcapd 1 2005-08-19 "" ""
.SH NAME
nfcapd \- netflow capture daemon
.SH SYNOPSIS
.HP 5
.B nfcapd [options]
.SH DESCRIPTION
.B nfcapd
is the netflow capture daemon of the nfdump tools. It reads netflow
data from the network and stores it into files. The output file
is automatically rotated and renamed every n minutes - typically
5 min - according the timestamp YYYYMMddhhmm of the interval e.g. 
nfcapd.200407110845 contains the data from July 11th 2004 08:45 onward.
.P
Netflow version v5, v7 and v9 are transparently supported.

.SH OPTIONS
.TP 3
.B -p \fIportnum
Specifies the port number to listen. Default port is 9995
.TP 3
.B -b \fIbindhost
Specifies the hostname/IPv4/IPv6 address to bind for listening. Can be an IP
address or a hostname, resolving to an IP address attached to an interface.
Defaults to any available IPv4 interface, if not specified.
.TP 3
.B -4
Forces nfcapd to listen on IPv4 addresses only. Can be used together with -b
if a hostname has an IPv4 and IPv6 address record.
.TP 3
.B -6
Forces nfcapd to listen on IPv6 addresses only. Can be used together with -b
if a hostname has an IPv4 and IPv6 address record.
.TP 3
.B -j \fIMulticastGroup
Join the specified IPv4 or IPv6 multicast group for listening. 
.TP 3
.B -R \fIhost[/port}
Enable packet repeater. Send all incoming packets to another \fIhost\fR and \fIport\fR.
\fIhost\fR is either a valid IPv4/IPv6 address, or a valid symbolic hostname, which resolves to 
a IPv6 or IPv4 address. \fIport\fR may be ommited and defaults to port 9995. Note: Due to IPv4/IPv6
accepted addresses the port separator is '/'.
.TP 3
.B -l \fIbase_directory
Specifies the base directory to store the output files. Default is /var/tmp
If a sub hierarchy is specified with -S the final directory is concatenated 
to \fIbase_directory/sub_hierarchy
.TP 3
.B -S \fI<num>
Allows to specify an additional directory sub hierarchy to store 
the data files. The default is 0, no sub hierarchy, which means the 
files go directly in the base directory (-l). The base directory (-l) is
concatenated with the specified sub hierarchy format to form the final 
data directory.  The following hierarchies are defined:
.PD 0
.RS 4
 0 default     no hierachy levels
.P
 1 %Y/%m/%d    year/month/day
.P
 2 %Y/%m/%d/%H year/month/day/hour
.P
 3 %Y/%W/%u    year/week_of_year/day_of_week
.P
 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
.P
 5 %Y/%j       year/day-of-year
.P
 6 %Y/%j/%H    year/day-of-year/hour
.P
 7 %Y-%m-%d    year-month-day
.P
 8 %Y-%m-%d/%H year-month-day/hour
.RE
.PD
.TP 3
.B -t \fIinterval
Specifies the time interval in seconds to rotate files. The default value 
is 300s ( 5min ).
.TP 3
.B -w
Align file rotation with next n minute ( specified by -t ) interval. 
Example: If interval is 5 min, sync at 0,5,10... wall clock minutes 
Default: no alignment.
.TP 3
.B -x \fIcmd
Run command \fIcmd\fR at the end of every interval, when a new file
becomes available. The following command expansion is available:
.PD 0
.RS 4
%f	Replaced by the file name e.g nfcapd.200407110845 inluding any
.P
     sub hierachy. ( 2004/07/11/nfcapd.200407110845 )
.P
%d	Replaced by the directory where the file is located.
.P
%t	Replaced by the time ISO format e.g. 200407110845.
.P
%u	Replaced by the UNIX time format.
.P
%i	Replaced ident string given by -I
.RE
.PD
.TP 3
.B -e 
Auto expire files at every cycle. \fImax lifetime\fP and \fImax filesize\fP
are defined using nfexpire(1)
.TP 3
.B -P \fIpidfile
Specify name of pidfile. Default is no pidfile.
.TP 3
.B -D
Daemon mode: fork to background and detach from terminal.
Nfcapd terminates on signal TERM, INT and HUP.
.TP 3
.B -u \fIuserid
Change to the user \fIuserid\fP as soon as possible. Only root is allowed
to use this option.
.TP 3
.B -g \fIgroupid
Change to the group \fIgroupid\fP as soon as possible. Only root is allowed 
use this option.
.TP 3
.B -I \fIIdentString
Specifies an ident string, which describes the source e.g. the 
name of the router. This string is put into the stat record to identify
the source. Default is 'none'.
.TP 3
.B -B \fIbufflen
Specifies the socket input buffer length in bytes. For high volume traffic 
( near GB traffic ) it is recommended to set this value as high as possible 
( typically > 100k ), otherwise you risk to lose packets. The default 
is OS ( and kernel )  dependent.
.TP 3
.B -E
Print netflow records in nfdump raw format to stdout. This option is for 
debugging purpose only, to see how incoming netflow data is processed and stored.
.TP 3
.B -z
Compress flows. Use fast LZO1X-1 compression in output file.
.TP 3
.B -V
Print nfcapd version and exit.
.TP 3
.B -h
Print help text to stdout with all options and exit.
.SH "RETURN VALUE"
Returns 0 on success, or 255 if initialization failed.
.SH "LOGGING"
nfcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON
For normal operation level 'warning' should be fine. 
More information is reported at level 'info' and 'debug'.
.P
A small statistic about the collected flows, as well as errors
are reported at the end of every interval to syslog with level 'info'.
.SH "EXAMPLES"
nfcapd -z -w -D -l /netflow/spool/router1 -S "%Y/%m/%d/%H" 
.P
nfcapd -w -D -l /netflow/spool/router1 -p 23456 -B 128000 -I router1 -x '/path/nfprofile -p /to/profile/dir -s router1 -r %d/%f'  -P /var/run/nfcapd/nfcapd.router1
.SH NOTES
Even with netflow v9 support, not all defined elements are stored
in the data files. Current version of nfdump supports the following
fields:
.PD 0
.RS 4
.P
\fBNF9_LAST_SWITCHED\fR
.P
\fBNF9_FIRST_SWITCHED\fR
.P
\fBNF9_IN_BYTES\fR
.P
\fBNF9_IN_PACKETS\fR
.P
\fBNF9_FLOWS\fR
.P
\fBNF9_IN_PROTOCOL\fR
.P
\fBNF9_SRC_TOS\fR
.P
\fBNF9_TCP_FLAGS\fR
.P
\fBNF9_IPV4_SRC_ADDR\fR
.P
\fBNF9_IPV6_SRC_ADDR\fR
.P
\fBNF9_IPV4_DST_ADDR\fR
.P
\fBNF9_IPV6_DST_ADDR\fR
.P
\fBNF9_L4_SRC_PORT\fR
.P
\fBNF9_L4_DST_PORT\fR
.P
\fBNF9_INPUT_SNMP\fR
.P
\fBNF9_OUTPUT_SNMP\fR
.P
\fBNF9_SRC_AS\fR
.P
\fBNF9_DST_AS\fR
.RE
.PD
32 and 64 bit counters are supported for Bytes and Packets. 
More fields may be supported in future.
.P
The format of the data files is netflow version independant.
.P
Socket buffer: Setting the socket buffer size is system dependent. 
When starting up, nfcapd returns the number of bytes the buffer was 
actually set. This is done by reading back the buffer size and may 
differ from what you requested. 
.SH "SEE ALSO"
nfdump(1), nfprofile(1), nfreplay(1)
.SH BUGS
I only found the second last bug. Please report the last one back to me.