Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
nfcapd(1)							     nfcapd(1)

NAME
       nfcapd -	netflow	capture	daemon

SYNOPSIS
       nfcapd [options]

DESCRIPTION
       nfcapd is the netflow capture daemon of the nfdump tools. It reads net-
       flow data from the network and stores it	into files. The	output file is
       automatically  rotated  and renamed every n minutes - typically 5 min -
       according  the  timestamp  YYYYMMddhhmm	of  the	 interval  e.g.	   nf-
       capd.200407110845 contains the data from	July 11th 2004 08:45 onward.

       Netflow version v5, v7 and v9 are transparently supported.

OPTIONS
       -p portnum
	  Specifies the	port number to listen. Default port is 9995

       -b bindhost
	  Specifies  the hostname/IPv4/IPv6 address to bind for	listening. Can
	  be an	IP address or a	hostname, resolving to an IP address  attached
	  to  an  interface.  Defaults to any available	IPv4 interface,	if not
	  specified.

       -4 Forces nfcapd	to listen on IPv4 addresses only. Can be used together
	  with -b if a hostname	has an IPv4 and	IPv6 address record.

       -6 Forces nfcapd	to listen on IPv6 addresses only. Can be used together
	  with -b if a hostname	has an IPv4 and	IPv6 address record.

       -j MulticastGroup
	  Join the specified IPv4 or IPv6 multicast group for listening.

       -R host[/port}
	  Enable packet	repeater. Send all incoming packets  to	 another  host
	  and port.  host is either a valid IPv4/IPv6 address, or a valid sym-
	  bolic	hostname, which	resolves to a IPv6 or IPv4 address.  port  may
	  be  ommited  and  defaults  to port 9995. Note: Due to IPv4/IPv6 ac-
	  cepted addresses the port separator is '/'.

       -l base_directory
	  Specifies the	base directory to store	the output files.  Default  is
	  /var/tmp If a	sub hierarchy is specified with	-S the final directory
	  is concatenated to base_directory/sub_hierarchy

       -S _num_
	  Allows to specify an additional directory sub	hierarchy to store the
	  data	files.	The  default  is  0, no	sub hierarchy, which means the
	  files	go directly in the base	directory  (-l).  The  base  directory
	  (-l) is concatenated with the	specified sub hierarchy	format to form
	  the final data directory.  The following hierarchies are defined:
	    0 default	  no hierachy levels
	    1 %Y/%m/%d	  year/month/day
	    2 %Y/%m/%d/%H year/month/day/hour
	    3 %Y/%W/%u	  year/week_of_year/day_of_week
	    4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
	    5 %Y/%j	  year/day-of-year
	    6 %Y/%j/%H	  year/day-of-year/hour
	    7 %Y-%m-%d	  year-month-day
	    8 %Y-%m-%d/%H year-month-day/hour

       -t interval
	  Specifies the	time interval in seconds to rotate files. The  default
	  value	is 300s	( 5min ).

       -w Align	file rotation with next	n minute ( specified by	-t ) interval.
	  Example: If interval is 5 min, sync at 0,5,10... wall	clock  minutes
	  Default: no alignment.

       -x cmd
	  Run  command	cmd  at	the end	of every interval, when	a new file be-
	  comes	available. The following command expansion is available:
	   %f	Replaced by the	file name e.g nfcapd.200407110845 inluding any
		sub hierachy. (	2004/07/11/nfcapd.200407110845 )
	   %d	Replaced by the	directory where	the file is located.
	   %t	Replaced by the	time ISO format	e.g. 200407110845.
	   %u	Replaced by the	UNIX time format.
	   %i	Replaced ident string given by -I

       -e Auto expire files at every cycle. max	lifetime and max filesize  are
	  defined using	nfexpire(1)

       -P pidfile
	  Specify name of pidfile. Default is no pidfile.

       -D Daemon  mode:	 fork  to background and detach	from terminal.	Nfcapd
	  terminates on	signal TERM, INT and HUP.

       -u userid
	  Change to the	user userid as soon as possible. Only root is  allowed
	  to use this option.

       -g groupid
	  Change  to  the  group groupid as soon as possible. Only root	is al-
	  lowed	use this option.

       -I IdentString
	  Specifies an ident string, which describes the source	e.g. the  name
	  of  the  router. This	string is put into the stat record to identify
	  the source. Default is 'none'.

       -B bufflen
	  Specifies the	socket input buffer length in bytes. For  high	volume
	  traffic  (  near GB traffic )	it is recommended to set this value as
	  high as possible ( typically > 100k ), otherwise you	risk  to  lose
	  packets. The default is OS ( and kernel )  dependent.

       -E Print	netflow	records	in nfdump raw format to	stdout.	This option is
	  for debugging	purpose	only, to see how incoming netflow data is pro-
	  cessed and stored.

       -V Print	nfcapd version and exit.

       -h Print	help text to stdout with all options and exit.

RETURN VALUE
       Returns 0 on success, or	255 if initialization failed.

LOGGING
       nfcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON For normal	opera-
       tion level 'warning' should be fine.  More information is  reported  at
       level 'info' and	'debug'.

       A  small	statistic about	the collected flows, as	well as	errors are re-
       ported at the end of every interval to syslog with level	'info'.

EXAMPLES
       nfcapd -w -D -l /netflow/spool/router1 -S "%Y/%m/%d/%H"

       nfcapd -w -D -l /netflow/spool/router1 -p 23456 -B 128000 -I router1 -x
       '/path/nfprofile	  -p   /to/profile/dir	 -s   router1  -r  %d/%f'   -P
       /var/run/nfcapd/nfcapd.router1

NOTES
       Even with netflow v9 support, not all defined elements  are  stored  in
       the  data  files.  Current  version  of	nfdump	supports the following
       fields:
	   NF9_LAST_SWITCHED
	   NF9_FIRST_SWITCHED
	   NF9_IN_BYTES
	   NF9_IN_PACKETS
	   NF9_FLOWS
	   NF9_IN_PROTOCOL
	   NF9_SRC_TOS
	   NF9_TCP_FLAGS
	   NF9_IPV4_SRC_ADDR
	   NF9_IPV6_SRC_ADDR
	   NF9_IPV4_DST_ADDR
	   NF9_IPV6_DST_ADDR
	   NF9_L4_SRC_PORT
	   NF9_L4_DST_PORT
	   NF9_INPUT_SNMP
	   NF9_OUTPUT_SNMP
	   NF9_SRC_AS
	   NF9_DST_AS
       32 and 64 bit counters are  supported  for  Bytes  and  Packets.	  More
       fields may be supported in future.

       The format of the data files is netflow version independant.

       Socket  buffer:	Setting	 the  socket  buffer size is system dependent.
       When starting up, nfcapd	returns	the number of bytes the	buffer was ac-
       tually set. This	is done	by reading back	the buffer size	and may	differ
       from what you requested.

SEE ALSO
       nfdump(1), nfprofile(1),	nfreplay(1)

BUGS
       I only found the	second last bug. Please	report the last	 one  back  to
       me.

				  2005-08-19			     nfcapd(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | RETURN VALUE | LOGGING | EXAMPLES | NOTES | SEE ALSO | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=nfcapd&sektion=1&manpath=FreeBSD+8.2-RELEASE+and+Ports>

home | help