FreeBSD Manual Pages
nfcapd(1) nfcapd(1) NAME nfcapd - netflow capture daemon SYNOPSIS nfcapd [options] DESCRIPTION nfcapd is the netflow capture daemon of the nfdump tools. It reads net- flow data from the network and stores it into files. The output file is automatically rotated and renamed every n minutes - typically 5 min - according the timestamp YYYYMMddhhmm of the interval e.g. nf- capd.200407110845 contains the data from July 11th 2004 08:45 onward. Netflow version v5, v7 and v9 are transparently supported. OPTIONS -p portnum Specifies the port number to listen. Default port is 9995 -b bindhost Specifies the hostname/IPv4/IPv6 address to bind for listening. Can be an IP address or a hostname, resolving to an IP address attached to an interface. Defaults to any available IPv4 interface, if not specified. -4 Forces nfcapd to listen on IPv4 addresses only. Can be used together with -b if a hostname has an IPv4 and IPv6 address record. -6 Forces nfcapd to listen on IPv6 addresses only. Can be used together with -b if a hostname has an IPv4 and IPv6 address record. -j MulticastGroup Join the specified IPv4 or IPv6 multicast group for listening. -R host[/port} Enable packet repeater. Send all incoming packets to another host and port. host is either a valid IPv4/IPv6 address, or a valid sym- bolic hostname, which resolves to a IPv6 or IPv4 address. port may be ommited and defaults to port 9995. Note: Due to IPv4/IPv6 ac- cepted addresses the port separator is '/'. -l base_directory Specifies the base directory to store the output files. Default is /var/tmp If a sub hierarchy is specified with -S the final directory is concatenated to base_directory/sub_hierarchy -S _num_ Allows to specify an additional directory sub hierarchy to store the data files. The default is 0, no sub hierarchy, which means the files go directly in the base directory (-l). The base directory (-l) is concatenated with the specified sub hierarchy format to form the final data directory. The following hierarchies are defined: 0 default no hierachy levels 1 %Y/%m/%d year/month/day 2 %Y/%m/%d/%H year/month/day/hour 3 %Y/%W/%u year/week_of_year/day_of_week 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour 5 %Y/%j year/day-of-year 6 %Y/%j/%H year/day-of-year/hour 7 %Y-%m-%d year-month-day 8 %Y-%m-%d/%H year-month-day/hour -t interval Specifies the time interval in seconds to rotate files. The default value is 300s ( 5min ). -w Align file rotation with next n minute ( specified by -t ) interval. Example: If interval is 5 min, sync at 0,5,10... wall clock minutes Default: no alignment. -x cmd Run command cmd at the end of every interval, when a new file be- comes available. The following command expansion is available: %f Replaced by the file name e.g nfcapd.200407110845 inluding any sub hierachy. ( 2004/07/11/nfcapd.200407110845 ) %d Replaced by the directory where the file is located. %t Replaced by the time ISO format e.g. 200407110845. %u Replaced by the UNIX time format. %i Replaced ident string given by -I -e Auto expire files at every cycle. max lifetime and max filesize are defined using nfexpire(1) -P pidfile Specify name of pidfile. Default is no pidfile. -D Daemon mode: fork to background and detach from terminal. Nfcapd terminates on signal TERM, INT and HUP. -u userid Change to the user userid as soon as possible. Only root is allowed to use this option. -g groupid Change to the group groupid as soon as possible. Only root is al- lowed use this option. -I IdentString Specifies an ident string, which describes the source e.g. the name of the router. This string is put into the stat record to identify the source. Default is 'none'. -B bufflen Specifies the socket input buffer length in bytes. For high volume traffic ( near GB traffic ) it is recommended to set this value as high as possible ( typically > 100k ), otherwise you risk to lose packets. The default is OS ( and kernel ) dependent. -E Print netflow records in nfdump raw format to stdout. This option is for debugging purpose only, to see how incoming netflow data is pro- cessed and stored. -V Print nfcapd version and exit. -h Print help text to stdout with all options and exit. RETURN VALUE Returns 0 on success, or 255 if initialization failed. LOGGING nfcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON For normal opera- tion level 'warning' should be fine. More information is reported at level 'info' and 'debug'. A small statistic about the collected flows, as well as errors are re- ported at the end of every interval to syslog with level 'info'. EXAMPLES nfcapd -w -D -l /netflow/spool/router1 -S "%Y/%m/%d/%H" nfcapd -w -D -l /netflow/spool/router1 -p 23456 -B 128000 -I router1 -x '/path/nfprofile -p /to/profile/dir -s router1 -r %d/%f' -P /var/run/nfcapd/nfcapd.router1 NOTES Even with netflow v9 support, not all defined elements are stored in the data files. Current version of nfdump supports the following fields: NF9_LAST_SWITCHED NF9_FIRST_SWITCHED NF9_IN_BYTES NF9_IN_PACKETS NF9_FLOWS NF9_IN_PROTOCOL NF9_SRC_TOS NF9_TCP_FLAGS NF9_IPV4_SRC_ADDR NF9_IPV6_SRC_ADDR NF9_IPV4_DST_ADDR NF9_IPV6_DST_ADDR NF9_L4_SRC_PORT NF9_L4_DST_PORT NF9_INPUT_SNMP NF9_OUTPUT_SNMP NF9_SRC_AS NF9_DST_AS 32 and 64 bit counters are supported for Bytes and Packets. More fields may be supported in future. The format of the data files is netflow version independant. Socket buffer: Setting the socket buffer size is system dependent. When starting up, nfcapd returns the number of bytes the buffer was ac- tually set. This is done by reading back the buffer size and may differ from what you requested. SEE ALSO nfdump(1), nfprofile(1), nfreplay(1) BUGS I only found the second last bug. Please report the last one back to me. 2005-08-19 nfcapd(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | RETURN VALUE | LOGGING | EXAMPLES | NOTES | SEE ALSO | BUGS
Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=nfcapd&sektion=1&manpath=FreeBSD+8.2-RELEASE+and+Ports>