1nfcapd(1)                                                            nfcapd(1)
2
3
4

NAME

6       nfcapd - netflow capture daemon
7

SYNOPSIS

9       nfcapd [options]
10

DESCRIPTION

12       nfcapd is the netflow capture daemon of the nfdump tools. It reads net‐
13       flow data from the network and stores it into files. The output file is
14       automatically  rotated  and renamed every n minutes - typically 5 min -
15       according   the   timestamp   YYYYMMddhhmm   of   the   interval   e.g.
16       nfcapd.201107110845 contains the data from July 11th 2011 08:45 onward.
17
18       Netflow  version  v1,  v5,  v7  and v9 and IPFIX are transparently sup‐
19       ported.
20
21       Extensions: nfcapd supports a large number of  v9  tags.  In  order  to
22       optimise  disk space and performance, v9 tags are grouped into a number
23       of extensions which may or may not be stored into the data file. There‐
24       fore the v9 templates configured on the exporter may be tuned according
25       the collector. Only those tags common to both are stored into the  data
26       files.
27
28       Sampling:  By  default, the sampling rate is set to 1 (unsampled) or to
29       any given value specified by the -s cmd line option. If sampling infor‐
30       mation is found in the netflow stream, it overwrites the default value.
31       Sampling is automatically recognised when announced in v9  option  tem‐
32       plates (tags #34, #35 or #48, #49, #50 ) or in the unofficial v5 header
33       hack.  Note: Not all platforms (or IOS/JunOS versions) support  export‐
34       ing  sampling  information in netflow data, even if sampling is config‐
35       ured. The number of bytes/packets in each netflow record  is  automati‐
36       cally  multiplied  by  the sampling rate.  The total number of flows is
37       not changed as this is not accurate enough. (Small flows  versus  large
38       flows)  If the default sampling rate given by -s is negative, this will
39       hard overwrite any device specific announced sampling rates.
40
41       NSEL/ASA  Support:  nfcapd  can  be  compiled  with  NSEL/ASA   support
42       included. See notes on NSEL/ASA
43
44       NEL  (NAT Event logging): nfcapd can be compiled with CISCO NEL support
45       included.  See notes on NEL.
46

OPTIONS

48       -p portnum
49          Specifies the port number to listen. Default port is 9995
50
51       -b bindhost
52          Specifies the hostname/IPv4/IPv6 address to bind for listening. This
53          can  be  an  IP  address  or  a hostname, resolving to an IP address
54          attached to an interface.  Defaults to any available IPv4 interface,
55          if not specified.
56
57       -4 Forces nfcapd to listen on IPv4 addresses only. Can be used together
58          with -b if a hostname has an IPv4 and IPv6 address record.
59
60       -6 Forces nfcapd to listen on IPv6 addresses only. Can be used together
61          with -b if a hostname has an IPv4 and IPv6 address record. Depending
62          on the socket implementation -6 also accepts IPv4 data.
63
64       -J MulticastGroup
65          Join the specified IPv4 or IPv6 multicast group for listening.
66
67       -R host[/port}
68          Enable packet repeater. Send all incoming packets  to  another  host
69          and port.  host is either a valid IPv4/IPv6 address, or a valid sym‐
70          bolic hostname, which resolves to a IPv6 or IPv4 address.  port  may
71          be  omitted  and  defaults  to  port  9995.  Note:  Due to IPv4/IPv6
72          accepted addresses the port separator is '/'. Up to 8  repeaters  my
73          be defined.
74
75       -I IdentString ( capital letter i )
76          Specifies  an ident string, which describes the source e.g. the name
77          of the router. This string is put into the stat record  to  identify
78          the source. Default is 'none'. This is for compatibility with nfdump
79          1.5.x and used to specify a single netflow source. See -n
80
81       -l base_directory ( letter ell )
82          Specifies the base directory to store the output files.   If  a  sub
83          hierarchy  is  specified with -S the final directory is concatenated
84          to base_directory/sub_hierarchy.  This  is  for  compatibility  with
85          nfdump 1.5.x and used to specify a single netflow source. See -n
86
87       -n <Ident,IP,base_directory>
88          Configures  a netflow source named Ident and identified by source IP
89          address IP.  The base directory for the flow  files  is  base_direc‐
90          tory. If a sub hierarchy is specified with -S the final directory is
91          concatenated  to  base_directory/sub_hierarchy.   Multiple   netflow
92          sources  can  be specified. All data is sent to the same port speci‐
93          fied by -p.  Note: You must not mix -n option with -I  and  -l.  Use
94          either syntax.
95
96       -M <dynbase_directory>
97          Specifies  the base directory to store the output files. In contrast
98          to -l -M allows to add dynamically new flow sources (exporters),  as
99          they  appear.  All  exporters send netflow data to the same port and
100          IP.  For each dynamically added source, a new directory  is  created
101          with  the name of the IPv4/IPv6 address of the exporter. All '.' and
102          ':" in IP addresses are replaced be '-' e.g.   10.11.12.13  is  con‐
103          verted to the directory name 10-11-12-13.  Note: Please make sure to
104          restrict at host level the potential range of IP addresses which are
105          allowed  to  connect  to  nfcapd. Otherwise you risk a potential DoS
106          attack on nfcapd, as nfcapd has no built in restrictions.
107
108       -f <pcap_file>
109          Read netflow packets from a give pcap_file instead of  the  network.
110          This  requires  nfcapd  to  be  compiled with the pcap option and is
111          intended for debugging only.
112
113       -s <rate>
114          Apply default sampling rate rate to all netflow records, unless  the
115          sampling rate is announced by the exporting device. In that case the
116          announced sampling rate is applied. If <rate> is negative, this will
117          hard overwrite any device specific announced sampling rates.
118
119       -S <num>
120          Allows to specify an additional directory sub hierarchy to store the
121          data files. The default is 0, no  sub  hierarchy,  which  means  the
122          files  go  directly  in  the base directory (-l). The base directory
123          (-l) is concatenated with the specified sub hierarchy format to form
124          the final data directory.  The following hierarchies are defined:
125            0 default     no hierarchy levels
126            1 %Y/%m/%d    year/month/day
127            2 %Y/%m/%d/%H year/month/day/hour
128            3 %Y/%W/%u    year/week_of_year/day_of_week
129            4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
130            5 %Y/%j       year/day-of-year
131            6 %Y/%j/%H    year/day-of-year/hour
132            7 %Y-%m-%d    year-month-day
133            8 %Y-%m-%d/%H year-month-day/hour
134
135       -T <extension list>
136          Specifies  the list of extensions, to be stored in the netflow file.
137          Regardless of the extension list,  the  following  netflow  data  is
138          stored  per  record:  first,  last,  fwd  status,  tcp flags, proto,
139          (src)tos, src port, dst port, src ipaddr, dst  ipaddr,  in(packets),
140          in(bytes). In addition nfcapd recognises the extensions as described
141          below. Some are valid for v5/v7/v9, but most of them make only sense
142          for  v9.  Any  specified  extensions which do not exist in the input
143          netflow records are ignored.
144
145          Extensions:
146           v5/v7/v9/IPFIX extensions:
147            1 input/output interface SNMP numbers.
148            2 src/dst AS numbers.
149            3 src/dst mask, (dst)TOS, direction.
150            4 line Next hop IP addr line
151            5 line BGP next hop IP addr line
152            6 src/dst vlan id labels
153            7 counter output packets
154            8 counter output bytes
155            9 counter aggregated flows
156           10 in_src/out_dst MAC address
157           11 in_dst/out_src MAC address
158           12 MPLS labels 1-10
159           13 Exporting router IPv4/IPv6 address
160           14 Exporting router ID
161           15 BGP adjacent prev/next AS
162           16 time stamp flow received by the collector
163           NSEL/ASA/NAT extensions
164           26 NSEL     ASA event, xtended event, ICMP type/code
165           27 NSEL/NAT xlate ports
166           28 NSEL/NAT xlate IPv4/IPv6 addr
167           29 NSEL     ASA ACL ingress/egress acl ID
168           30 NSEL     ASA username
169           NEL/NAT extensions
170           31 NAT event, ingress egress vrfid
171           32 NAT Block port allocation - block start, end step and size
172           latency extension
173           64 nfpcapd/nprobe client/server/application latency"},
174
175           IMPORTANT: By default only extension 1 and 2  are  selected  Exten‐
176           sions  can  be  added/deleted by specifying a ',' separated list of
177           extension ids. Each id may be prepended by an optional sign +/-  to
178           add  or  remove a given id from the extension list.  Shortcuts: The
179           string 'all' means all extensions. The strings
180            'nsel' and 'nel' enable all NSEL or NEL extensions respectively.
181
182           Examples:
183           -T all       Enables all possible extensions.
184           -T +3,+4     Adds extensions 3 and 4 to the defaults 1 and 2.
185           -T all,-8,-9 Set all extensions but 8 and 9
186           -T -1,4      Removes default extension 1 and adds extension 4
187           -T nsel      Enables all required ASA?NSEL extensions
188           -T nel       Enables all required nell extensions
189           Note: Only those tags in  common  with  the  exporting  device  and
190           enabled  extensions  at the collector side are stored into the data
191           files. A detailed list which v9 tags are mapped into  which  exten‐
192           sions is given in the section NOTES
193
194       -t interval
195          Specifies  the time interval in seconds to rotate files. The default
196          value is 300s ( 5min ).
197
198       -w Align file rotation with next n minute ( specified by -t ) interval.
199          Example:  If interval is 5 min, sync at 0,5,10... wall clock minutes
200          Default: no alignment.
201
202       -x cmd
203          Run command cmd at the end  of  every  interval,  when  a  new  file
204          becomes available. The following command expansion is available:
205           %f   Replaced by the file name e.g nfcapd.200907110845 inluding any
206                sub hierarchy. ( 2009/07/11/nfcapd.200907110845 )
207           %d   Replaced by the directory where the file is located.
208           %t   Replaced by the time ISO format e.g. 200907110845.
209           %u   Replaced by the UNIX time format.
210           %i   Replaced ident string given by -I
211
212       -X Collect and embed extended statistics. Currently a port and bpp his‐
213          togram is embedded. Mostly experimental for now
214
215       -e Auto expire files at every cycle. max lifetime and max filesize  are
216          defined using nfexpire(1)
217
218       -P pidfile
219          Specify name of pidfile. Default is no pidfile.
220
221       -D Daemon  mode:  fork  to background and detach from terminal.  Nfcapd
222          terminates on signal TERM, INT and HUP.
223
224       -u userid
225          Change to the user userid as soon as possible. Only root is  allowed
226          to use this option.
227
228       -g groupid
229          Change  to  the  group  groupid  as  soon  as possible. Only root is
230          allowed use this option.
231
232       -B bufflen
233          Specifies the socket input buffer length in bytes. For  high  volume
234          traffic  (  near GB traffic ) it is recommended to set this value as
235          high as possible ( typically > 100k ), otherwise you  risk  to  lose
236          packets. The default is OS ( and kernel )  dependent.
237
238       -E Print netflow records in nfdump raw format to stdout. This option is
239          for debugging purpose only, to see how incoming netflow data is pro‐
240          cessed and stored.
241
242       -j Compress flows. Use bz2 compression in output file. Note: not recom‐
243          mended while collecting
244
245       -y Compress flows. Use LZ4 compression in output file.
246
247       -z Compress flows. Use fast LZO1X-1 compression in output file.
248
249       -V Print nfcapd version and exit.
250
251       -h Print help text to stdout with all options and exit.
252

RETURN VALUE

254       Returns 0 on success, or 255 if initialization failed.
255

LOGGING

257       nfcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON For normal opera‐
258       tion  level  'warning' should be fine.  More information is reported at
259       level 'info' and 'debug'.
260
261       A small statistic about the collected flows,  as  well  as  errors  are
262       reported at the end of every interval to syslog with level 'info'.
263

EXAMPLES

265       All  flows  are  sent to port 9995 from all exporters and stored into a
266       single file. All known v9 tags are taken.
267              nfcapd -z -w -D -T all -l /netflow/spool/allflows -I any -S 2 -P
268              /var/run/nfcapd.allflows.pid
269
270       All  flows  from 2 different exporters are sent to port 8877 and stored
271       in separate directory trees. All known v9 tags are taken. Input  buffer
272       size is set to 128000 bytes
273              nfcapd  -z  -w  -D  -T all -p 8877 -n upstream,192.168.1.1,/net‐
274              flow/spool/upstream -n peer,192.168.2.1,/netflow/spool/peer -S 2
275              -B 128000
276
277       Only  accept  from  from a single exporter and only extension 3,4 and 5
278       are accepted. Run a given command when files are rotated and  automati‐
279       cally expire flows:
280              nfcapd    -w   -D   -T   3,4,5   -n   upstream,192.168.1.1,/net‐
281              flow/spool/upstream -p 23456 -B 128000 -s 100 -x  '/path/command
282              -r %d/%f'  -P /var/run/nfcapd/nfcapd.pid -e
283

NOTES

285       Multiple netflow sources:
286
287       Netflow  data  may  be sent from different exporters to a single nfcapd
288       process.  Use the -n option to separate each netflow source to  a  dif‐
289       ferent  data directory.  For compatibility with nfdump 1.5.x, old style
290       -l/-I options are still valid.  In that case all flows from all sources
291       are  stored  in  a  single file. For high volume netflow streams, it is
292       still recommended to have a single nfcapd process per netflow source.
293
294       The current v9 implementation of nfdump supports the following v9  ele‐
295       ments: fields:
296           v9 element          v9 ID     Extension
297           NF9_LAST_SWITCHED      21       default
298           NF9_FIRST_SWITCHED     22       default
299           NF9_IN_BYTES            1       default
300           NF9_IN_PACKETS          2       default
301           NF9_IN_PROTOCOL         4       default
302           NF9_SRC_TOS             5       default
303           NF9_TCP_FLAGS           6       default
304           NF9_FORWARDING_STATUS  89       default
305           NF9_IPV4_SRC_ADDR       8       default
306           NF9_IPV4_DST_ADDR      12       default
307           NF9_IPV6_SRC_ADDR      27       default
308           NF9_IPV6_DST_ADDR      28       default
309           NF9_L4_SRC_PORT         7       default
310           NF9_L4_DST_PORT        11       default
311           NF9_ICMP_TYPE          32       default
312           NF9_INPUT_SNMP         10             1
313           NF9_OUTPUT_SNMP        14             1
314           NF9_SRC_AS             16             2
315           NF9_DST_AS             17             2
316           NF9_DST_TOS            55             3
317           NF9_DIRECTION          61             3
318           NF9_SRC_MASK            9             3
319           NF9_DST_MASK           13             3
320           NF9_IPV6_SRC_MASK      29             3
321           NF9_IPV6_DST_MASK      30             3
322           NF9_V4_NEXT_HOP        15             4
323           NF9_V6_NEXT_HOP        62             4
324           NF9_BGP_V4_NEXT_HOP    18             5
325           NF9_BPG_V6_NEXT_HOP    63             5
326           NF9_SRC_VLAN           58             6
327           NF9_DST_VLAN           59             6
328           NF9_OUT_PKTS           24             7
329           NF9_OUT_BYTES          23             8
330           NF9_FLOWS_AGGR          3             9
331           NF9_IN_SRC_MAC         56            10
332           NF9_OUT_DST_MAC        57            10
333           NF9_IN_DST_MAC         80            11
334           NF9_OUT_SRC_MAC        81            11
335           NF9_MPLS_LABEL_1       70            12
336           NF9_MPLS_LABEL_2       71            12
337           NF9_MPLS_LABEL_3       72            12
338           NF9_MPLS_LABEL_4       73            12
339           NF9_MPLS_LABEL_5       74            12
340           NF9_MPLS_LABEL_6       75            12
341           NF9_MPLS_LABEL_7       76            12
342           NF9_MPLS_LABEL_8       77            12
343           NF9_MPLS_LABEL_9       78            12
344           NF9_MPLS_LABEL_10      79            12
345           NF9_SAMPLING_INTERVAL  34            Sampling
346           NF9_SAMPLING_ALGORITHM 35            Sampling
347           NF9_FLOW_SAMPLER_ID    48            Sampling
348           FLOW_SAMPLER_MODE      49            Sampling
349           NF9_FLOW_SAMPLER_RANDOM_INTERVAL 50  Sampling
350           IP addr of exporting router          13
351           NF9_ENGINE_TYPE        38            14
352           NF9_ENGINE_ID          39            14
353           NF9_BGP_ADJ_NEXT_AS   128            15
354           NF9_BGP_ADJ_PREV_AS   129            15
355           collector received timestamp         16
356       32  and 64 bit are supported for all counters. 32it AS numbers are sup‐
357       ported.
358
359       IPFIX support is experimental. Due to lack of  implementation  of  sam‐
360       pling in many IPFIX exporters, sampling for IPFIX is not yet supported.
361
362       The format of the data files is netflow version independent.
363
364       Socket  buffer:  Setting  the  socket  buffer size is system dependent.
365       When starting up, nfcapd returns the number of  bytes  the  buffer  was
366       actually set. This is done by reading back the buffer size and may dif‐
367       fer from what you requested.
368

SEE ALSO

370       nfdump(1), nfprofile(1), nfreplay(1)
371

BUGS

373       No software without bugs! Please report any bugs back to me.
374
375
376
377                                  2009-09-09                         nfcapd(1)
Impressum