1sfcapd(1) sfcapd(1)
2
6 sfcapd - sflow capture daemon
7
9 sfcapd [options]
10
12 sfcapd is the sflow capture daemon of the nfdump tools. It reads sflow
13 data from the network and stores it into nfcapd compatible files. The
14 output file is automatically rotated and renamed every n minutes - typ‐
15 ically 5 min - according the timestamp YYYYMMddhhmm of the interval
16 e.g. nfcapd.200407110845 contains the data from July 11th 2004 08:45
17 onward. sfcapd supports sFlow version 4 and 5 datagrams.
18 Sflow is an industry standard developed by InMon Corporation. For more
20 information see http://sflow.org.
21
23 -p portnum
24 Specifies the port number to listen. Default port is 6343
25 -b bindhost
27 Specifies the hostname/IPv4/IPv6 address to bind for listening. Can
28 be an IP address or a hostname, resolving to an IP address attached
29 to an interface. Defaults to any available IPv4 interface, if not
30 specified.
31 -4 Forces sfcapd to listen on IPv4 addresses only. Can be used together
33 with -b if a hostname has an IPv4 and IPv6 address record. Depending
34 on the socket implementation -6 also accepts IPv4 data.
35 -6 Forces sfcapd to listen on IPv6 addresses only. Can be used together
37 with -b if a hostname has an IPv4 and IPv6 address record.
38 -j MulticastGroup
40 Join the specified IPv6 or IPv6 multicast group for listening.
41 -R host[/port}
43 Enable packet repeater. Send all incoming packets to another host
44 and port. host is either a valid IPv4/IPv6 address, or a valid sim‐
45 bolic hostname, which resolves to a IPv6 or IPv4 address. port may
46 be omitted and defaults to port 6343. Note: Due to IPv4/IPv6
47 accepted addresses the port separator is '/'.
48 -I IdentString ( capital letter i )
50 Specifies an ident string, which describes the source e.g. the name
51 of the router. This string is put into the stat record to identify
52 the source. Default is 'none'. This is for compatibility with nfdump
53 1.5.x and used to specify a single sflow source. See -n
54 -l base_directory ( letter ell )
56 Specifies the base directory to store the output files. If a sub
57 hierarchy is specified with -S the final directory is concatenated
58 to base_directory/sub_hierarchy. This is for compatibility with
59 nfdump 1.5.x and used to specify a single sflow source. See -n
60 -n <Ident,IP,base_directory>
62 Configures an sflow source named Ident and identified by source IP
63 address IP. The base directory for the flow files is base_direc‐
64 tory. If a sub hierarchy is specified with -S the final directory is
65 concatenated to base_directory/sub_hierarchy. Multiple netflow
66 sources can be specified. All data is sent to the same port speci‐
67 fied by -p. Note: You must not mix -n option with -I and -l. Use
68 either syntax.
69 -f <pcap_file>
71 Read sflow packets from a give pcap_file instead of the network.
72 This requires sfcapd to be compiled with the pcap option and is
73 intended for debugging only.
74 -S <num>
76 Allows to specify an additional directory sub hierarchy to store the
77 data files. The default is 0, no sub hierarchy, which means the
78 files go directly in the base directory (-l). The base directory
79 (-l) is concatenated with the specified sub hierarchy format to form
80 the final data directory. The following hierarchies are defined:
81 0 default no hierarchy levels
82 1 %Y/%m/%d year/month/day
83 2 %Y/%m/%d/%H year/month/day/hour
84 3 %Y/%W/%u year/week_of_year/day_of_week
85 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
86 5 %Y/%W/%u year/week_of_year/day_of_week
87 6 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
88 7 %Y/%j year/day-of-year
89 8 %Y/%j/%H year/day-of-year/hour
90 9 %Y-%m-%d year-month-day
91 10 %Y-%m-%d/%H year-month-day/hour
92 -T <extension list>
94 Specifies the list of extensions, to be stored in the flow file.
95 Regardless of the extension list, the following sflow data is stored
96 per record: first, last, fwd status, tcp flags, proto, (src)tos, src
97 port, dst port, src ipaddr, dst ipaddr, in(packets), in(bytes). In
98 addition sfcapd recognises the extensions as described below.
99 Extensions:
101 sflow extensions:
102 1 input/output interface SNMP numbers.
103 2 src/dst AS numbers.
104 3 src/dst mask, (dst)TOS, direction,
105 4 Next hop IP addr
106 5 BGP next hop IP addr
107 6 src/dst vlan id labels
108 10 in_src/out_dst MAC address
109 By default extension 1 and 2 are selected, which provides compati‐
110 bility with earlier nfdump version. Extensions can be
111 added/deleted by specifying a ',' separated list of extension ids.
112 Each id may be prepended by an optional sign +/- to add or remove a
113 given id from the extension list. The string 'all' means all exten‐
114 sions. Extensions 7-9 are not available for sfcapd.
115 Examples:
116 -T all Enables all possible extensions.
117 -T +3,+4 Adds extensions 3 and 4 to the defaults 1 and 2.
118 -T all,-5,-6 Set all extensions but 5 and 6
119 -T -1,4 Removes default extension 1 and adds extension 4
120 Note: Extensions are shared with the netflow collector nfcapd.
121 Sflow as well as netflow data is stored in the same type of exten‐
122 sions.
123 -t interval
125 Specifies the time interval in seconds to rotate files. The default
126 value is 300s ( 5min ).
127 -w Align file rotation with next n minute ( specified by -t ) interval.
129 Example: If interval is 5 min, sync at 0,5,10... wall clock minutes
130 Default: no alignment.
131 -x cmd
133 Run command cmd at the end of every interval, when a new file
134 becomes available. The following command expansion is available:
135 %f Replaced by the file name e.g nfcapd.200407110845 inluding any
136 sub hierarchy. ( 2004/07/11/nfcapd.200407110845 )
137 %d Replaced by the directory where the file is located.
138 %t Replaced by the time ISO format e.g. 200407110845.
139 %u Replaced by the UNIX time format.
140 %i Replaced ident string given by -I
141 -e Auto expire files at every cycle. max lifetime and max filesize are
143 defined using nfexpire(1)
144 -P pidfile
146 Specify name of pidfile. Default is no pidfile.
147 -D Daemon mode: fork to background and detach from terminal. Nfcapd
149 terminates on signal TERM, INT and HUP.
150 -u userid
152 Change to the user userid as soon as possible. Only root is allowed
153 to use this option.
154 -g groupid
156 Change to the group groupid as soon as possible. Only root is
157 allowed use this option.
158 -B bufflen
160 Specifies the socket input buffer length in bytes. For high volume
161 traffic ( near GB traffic ) it is recommended to set this value as
162 high as possible ( typically > 100k ), otherwise you risk to lose
163 packets. The default is OS ( and kernel ) dependent.
164 -E Print data records in nfdump raw format to stdout. This option is
166 for debugging purpose only, to see how incoming sflow data is pro‐
167 cessed and stored.
168 -j Compress flows. Use bz2 compression in output file. Note: not recom‐
170 mended while collecting
171 -z Compress flows. Use fast LZO1X-1 compression in output file.
173 -V Print sfcapd version and exit.
175 -h Print help text to stdout with all options and exit.
177
179 Returns 0 on success, or 255 if initialization failed.
180
182 sfcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON For normal opera‐
183 tion level 'warning' should be fine. More information is reported at
184 level 'info' and 'debug'.
185 A small statistic about the collected flows, as well as errors are
187 reported at the end of every interval to syslog with level 'info'.
188
190 Compatible with old sfcapd 1.5.x:
191 sfcapd -w -D -l /data/spool/router1 -p 6343 -B 128000 -I router1
192 -x '/path/some_app -r %d/%f' -P /var/run/sfcapd/sfcapd.router1
193 Selectively enabled sender:
195 sfcapd -Tall -w -D -n router1,192.168.1.10,/data/spool/router1
196 -p 6343 -B 128000 -P /var/run/sfcapd/sfcapd.router1
197
199 sfcapd automatically scales the packets and bytes according the sam‐
200 pling rate.
201 Even with sflow version 4 and 5 support, not all available sflow ele‐
203 ments are stored in the data files. As of this version, sfcpad supports
204 the the same shared fields as extensions, as it's netflow companion
205 nfcapd for netflow version v9. See nfcapd(1). More fields will be sup‐
206 ported in future.
207 The format of the data files is version independent and compatible
209 nfcapd collected data.
210 Socket buffer: Setting the socket buffer size is system dependent.
212 When starting up, sfcapd returns the number of bytes the buffer was
213 actually set. This is done by reading back the buffer size and may dif‐
214 fer from what you requested.
215
217 nfcapd(1), nfdump(1), nfprofile(1), nfreplay(1)
218 2009-09-09 sfcapd(1)