1NFCAPD(1) BSD General Commands Manual NFCAPD(1)
3
5 nfcapd — flow collector for netflow version v1, v5/v7 v9 and ipfix
6
8 nfcapd -w flowdir [-C config] [-z=<compress>] [-D] [-u userid]
9 [-g groupid] [-S num] [-t interval] [-P pidfile] [-p port]
10 [-d device] [-I ident] [-b bindhost] [-f flowfile] [-4] [-6]
11 [-J mcastgroup] [-R repeater] [-A] [-B buffsize] [-n sourceparam]
12 [-M multiflowdir] [-s rate] [-i metricrate] [-m metricpath] [-e]
13 [-x command] [-X extensionList] [-E] [-v] [-V]
14
16 nfcapd reads netflow data from the network and stores the records into
17 binary formatted files. It accepts netflow v1, v5/v7, v9 and ipfix
18 transparently. It is mostly compatible with a lot of other flow implemen‐
19 tations such as cflow, jflow, pflow and accepts a wide range of exporters
20 including CISCO Flexible Netflow (FNF), ASA firewalls and NAT devices for
21 event logging. It has also support for a wide range of different vendors
22 and their implementation of netflow, such as Juniper, VMware, PaloAlto
23 devices and yaf. Sflow is a different technology. nfcapd supports a
24 large number of netflow v9 and ipfix elements according to the IANA as‐
25 signments.
26 If you want to collect sflow data, please have a look at sfcapd which is
28 also part of the nfdump tools.
29 nfcapd also accepts pre-processed records from its companion collector
31 nfpcapd. nfcapd safes the flows in an output file, which is automati‐
32 cally rotated at a given interval - typically every 5min. These rotated
33 output files are stored in the flowdir directory and are organized by
34 timestamps. The output files are named according to the time interval in
35 the following format: nfcapd.YYYYMMddhhmm e.g. nfcapd.202207110845 which
36 contains flow data from July 11th 2022 08:45 onwards. If the rotation in‐
37 terval is set to a time, smaller then 60s, the naming extends to seconds
38 e.g. nfcapd.20220711084510.
39 nfcapd can run in auto-expire mode -e , which automatically expires old
41 flow files, at the end of every rotation interval. nfexpire(1) explains
42 in more details how to setup flow expiration.
43 nfcapd can run any given command -x or shell script at the end of each
45 rotation interval.
46 nfcapd can send universal flow metric information about the collected
48 flow data (flow summary) to a UNIX socket. Programs, such as nfinflux or
49 nfexporter may be used to send the metric information to an InfluxDB or
50 to a Prometheus monitoring system.
51 The options are as follows:
53 -w flowdir
55 Set the flow directory to store the output files. If a sub hier‐
56 archy is specified with -S the final directory is concatenated to
57 flowdir/subdir.
58 -C config
60 Reads additional configuration parameters from config file.
61 nfcapd tries to read the config file from the install default
62 path $prefix/etc/ which may be overwritten by the environment
63 variable NFCONF , which again is overwritten by this option -C.
64 If -C none is specified, then no config file is read, even if
65 found in the search path.
66 -p portnum
68 Set the port number to listen. Default port is 9995
69 -d interface
71 Reads flow data from an erspan encoded datalink. All traffic sent
72 to this interface is interpreted as flow data stream.
73 -b bindhost
75 Specifies the hostname/IPv4/IPv6 address to bind for listening.
76 This can be an IP address or a hostname, resolving to a local IP
77 address.
78 -4 Forces nfcapd to listen on IPv4 addresses only. Can be used to‐
80 gether with -b if a hostname has IPv4 and IPv6 addresses.
81 -6 Forces nfcapd to listen on IPv6 addresses only. Can be used to‐
83 gether with -b if a hostname has IPv4 and IPv6 addresses.
84 -J mcastgroup
86 Join the specified IPv4 or IPv6 multicast group for listening.
87 -R host[/port]
89 Enables the packet repeater. All incoming packets are sent addi‐
90 tionally to another host and port. host is either a valid
91 IPv4/IPv6 address, or a symbolic hostname, which resolves to a
92 valid IP address. port may be omitted and defaults to 9995.
93 Note: As IPv4/IPv6 are accepted the host/port separator is '/'.
94 Up to 8 additional repeaters my be defined. Use this method to
95 daisy chain collectors.
96 -A Sets source address spoofing mode for the repeater. The source
98 address of the repeated packages is set to the original IP ad‐
99 dress. This needs nfcapd to be started with root privileges.
100 Please note, that source spoofing may be blocked by firewalls or
101 routers in your network.
102 -I ident
104 Sets ident as identification string for the current source. This
105 string is written into the output file to identify the source.
106 Default is 'none'. If you have multiple sources, see option -n
107 below.
108 -n ident,IP,flowdir
110 Configures a netflow source identified by the string ident, IP
111 flowdir If you have multiple sources per collector, add multiple
112 -n options. All exporters send the flows to the same port -p. Do
113 not mix single source configuration -I with multiple -n options.
114 -M flowdir
116 Set the flow directory for dynamic allocated exporters. New ex‐
117 porters are dynamically added when sending data. All exporters
118 send netflow data to the same port and IP. For each dynamically
119 added source, a new sub directory is created under flowdir with
120 the name of the IP address of the exporter. All '.' and ':" in IP
121 addresses are replaced be '-'. -D Set daemon mode: fork to back‐
122 ground and detach from terminal. nfcapd terminates on signal
123 TERM, INT or HUP.
124 -P pidfile
126 Writes the running process ID into pidfilw. Use this option to
127 integrate nfcapd in start/stop files.
128 -u userid
130 Drop privileges of running process to user userid. nfcapd needs
131 to be started as user root.
132 -g groupid
134 Drop privileges of running process to group groupid. nfcapd
135 needs to be started as user root.
136 -B bufflen
138 Sets the network socket input buffer to bufflen bytes. For high
139 volume traffic it is recommended to raise this value to typically
140 > 100k, otherwise you risk to lose packets. The default is OS
141 (and kernel) dependent.
142 -S num Adds an additional directory sub hierarchy to store the data
144 files. The default is 0, no sub hierarchy, which means all files
145 go directly into flowdir. The flowdir is concatenated with the
146 specified sub hierarchy format to create the final data direc‐
147 tory. The following hierarchies are defined:
148 0 default no hierarchy levels
149 1 %Y/%m/%d year/month/day
150 2 %Y/%m/%d/%H year/month/day/hour
151 3 %Y/%W/%u year/week_of_year/day_of_week
152 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
153 5 %Y/%j year/day-of-year
154 6 %Y/%j/%H year/day-of-year/hour
155 7 %Y-%m-%d year-month-day
156 8 %Y-%m-%d/%H year-month-day/hour
157 -t interval
159 Sets the time interval in seconds to rotate files. The default
160 value is 300s ( 5min ). The smallest available interval is 2s.
161 -s rate
163 Apply sampling rate rate to all netflow records, unless the sam‐
164 pling rate is announced by the exporting device. In that case
165 the announced sampling rate is applied. If rate is negative, this
166 will hard overwrite any device specific announced sampling rates.
167 The sampling rate is used to multiply the number of packets and
168 bytes in a record. Please note, this may vary from other volume
169 counters such as SNMP etc.
170 -z Compress flow files with LZO1X-1 compression. Fastest compres‐
172 sion.
173 -z=lzo Compress flow files with LZO1X-1 compression. Fastest compres‐
175 sion.
176 -z=lz4 Compress flow files with LZ4 compression. Fast and efficient.
178 -z=bz2 Compress flow files with bz2 compression. Slow but most effi‐
180 cient. It is not recommended to use bz2 in a real time capturing.
181 -e Sets auto-expire mode. At the end of every rotate interval -t
183 nfcapd runs an expire cycle to delete files according to max
184 lifetime and max filesize as defined by nfexpire(1)
185 -x command
187 At the end of every -t interval and after the file rotate has
188 completed, nfcapd runs the command command. The string for
189 command may contain the following place holders, which are ex‐
190 panded before running:
191 %f File name of new data file including any sub hierarchy.
192 %d Top flowdir. The full path of the new file is: %d/%f
193 %t Time slot string in ISO format e.g. 201107110845.
194 %u Time slot string in UNIX time format.
195 %i Identification string ident string supplied by -I
196 -X extensionList
198 extensionList is a ',' separated list of extensions to be stored
199 by nfcapd. The numbers correspond to the extension list in
200 nfxV3.h. By default extensions are added dynamically to store all
201 data sent by the exporter. If extensionList is given, only those
202 elements matching the extension are processed and stored. Usually
203 this option is not needed, unless for specific requirements.
204 -m metricpath
206 Enables the flow metric exporter. Flow metric information is sent
207 to the UNIX socket metricpath at the rate specified by -i This
208 option may by used to export flow metric information to other
209 systems such as InfluxDB or Prometheus. Please note: The flow
210 metric does not include the full record. Only the flow statistics
211 is sent.
212 -i metricrate
214 Sets the interval for the flow metric exporter. This interval may
215 be different from the file rotation interval t and is therefore
216 independent from file rotation.
217 -v Increase verbose level by 1. The verbose level may be increased
219 for debugging purpose up to 3.
220 -E Equal to -v -v -v. Print netflow records in block format to std‐
222 out. Please note, that not all elements are printed, which are
223 available in the flow record. To inspect all elements, use nfdump
224 -o raw This option is for debugging purpose only, to verify if
225 incoming netflow data is processed correctly.
226 -V Print nfcapd version and exit.
228 -h Print help text on stdout with all options and exit.
230
232 nfcapd returns 0 on success and 255 if initialization failed.
233
235 https://www.iana.org/assignments/ipfix/ipfix.xhtml
236 https://www.cisco.com/en/US/technologies/tk648/tk362/technolo‐
238 gies_white_paper09186a00800a3db9.html
239 nfdump(1) nfpcapd(1) sfcapd(1)
241
243 No software without bugs! Please report any bugs back to me.
244BSD December 20, 2023 BSD