2
3
4
6 flow-capture — Manage storage of flow file archives by expiring old
7 data.
8
10 flow-capture [-hu] [-b big|little] [-C comment] [-c flow_clients]
11 [-d debug_level] [-D daemonize] [-e expire_count] [-f filter_fname]
12 [-F filter_definition] [-E expire_size] [-n rotations] [-N nest‐
13 ing_level] [-p pidfile] [-R rotate_program] [-S stat_interval] [-t
14 tag_fname] [-T active_def|active_def,active_def ...] [-V pdu_version]
15 [-z z_level] -w workdir [-x xlate_fname] [-X xlate_definition]
16 localip/remoteip/port
17
19 The flow-capture utility will receive and store NetFlow exports to
20 disk. The flow files are rotated rotationstimes per day and expiration
21 of old flow files can be configured by number of files or total space
22 utilization. Files are stored in workdir and can optionally be stored
23 in additional levels of directories. Active files created by flow-cap‐
24 ture begin with 'tmp'. Files that are complete begin with 'ft'.
25
26 When the remoteip is configured only flows from that exporter will be
27 processed, this is the most secure and recommended configuration. When
28 the localip is configured flow-capture will only process flows sent to
29 the localip IP address. If remoteip is 0 (not configured) flows from
30 any source IP address are accepted. Multiple non aggregated PDU ver‐
31 sions may be accepted at once to support Cisco's Catalyst 6500 NetFlow
32 implementation which exports from both the supervisor and MSFC with the
33 same IP address and same port but different export versions. In this
34 case the exports will be stored in the format specified by pdu_version
35 or whichever export type is received first.
36
37 NetFlow exports are UDP and do not employ congestion control or a
38 retransmission mechanism. If the server flow-capture is configured on
39 is too busy, or the network is congested or lossy NetFlow exports will
40 be lost. An estimate of lost flows is recorded in the flow files, and
41 logged via syslog. Most servers will provide a count of dropped pack‐
42 ets due to full socket buffers via the netstat utility. For example
43 netstat -s | grep full will provide a count of UDP packets dropped due
44 to full socket buffers. If this is a persistent occurrence either
45 flow-capture will need a larger server or the compression level should
46 be decreased with -z.
47
48 A SIGHUP signal will cause flow-capture to close the current file and
49 create a new one.
50
51 A SIGQUIT or SIGTERM signal will cause flow-capture to close the cur‐
52 rent file and exit.
53
55 -b big|little
56 Byte order of output.
57
58 -c flow_clients
59 Enable flow_clients TCP clients. When libwrap is available
60 the client must be in a permit list for the service flow-cap‐
61 ture-client.
62
63 -C Comment
64 Add a comment.
65
66 -d debug_level
67 Enable debugging.
68
69 -e expire_count
70 Retain the maximum number of files so that the total file
71 count is less than expire_count. Defaults to 0 (do not
72 expire).
73
74 -E expire_size
75 Retain the maximum number of files so that the total storage
76 is less than expire_size. The letters b,K,M,G can be used as
77 multipliers, ie 16 Megabytes is 16M. Default to 0 (do not
78 expire).
79
80 -f filter_fname
81 Filter list filename. Defaults to /var/flow-tools/cfg/fil‐
82 ter.
83
84 -F filter_definition
85 Select the active definition. Defaults to default.
86
87 -h Display help.
88
89 -n rotations
90 Configure the number of times flow-capture will create a new
91 file per day. The default is 95, or every 15 minutes.
92
93 -N nesting_level
94 Configure the nesting level for storing flow files. The
95 default is 0.
96 -3 YYYY/YYYY-MM/YYYY-MM-DD/flow-file
97 -2 YYYY-MM/YYYY-MM-DD/flow-file
98 -1 YYYY-MM-DD/flow-file
99 0 flow-file
100 1 YYYY/flow-file
101 2 YYYY/YYYY-MM/flow-file
102 3 YYYY/YYYY-MM/YYYY-MM-DD/flow-file
103
104 -p pidfile
105 Configure the process ID file. Use - to disable pid file
106 creation.
107
108 -R rotate_program
109 Execute rotate_program with the first argument as the flow
110 file name after rotating it.
111
112 -S stat_interval
113 When configured flow-capture will log a timestamped message
114 every stat_interval minutes indicating counters such as the
115 number of flows received, packets processed, and lost flows.
116
117 -t tag_fname
118 Load tags from tag_name
119
120 -T active_def|active_def,active_def...
121 Use active_def as the active tag definition(s).
122
123 -u Preserve inherited umask. By default the umask will be set
124 to 0022.
125
126 -V pdu_version
127 Use pdu_version format output.
128
129 1 NetFlow version 1 (No sequence numbers, AS, or mask)
130 5 NetFlow version 5
131 6 NetFlow version 6 (5+ Encapsulation size)
132 7 NetFlow version 7 (Catalyst switches)
133 8.1 NetFlow AS Aggregation
134 8.2 NetFlow Proto Port Aggregation
135 8.3 NetFlow Source Prefix Aggregation
136 8.4 NetFlow Destination Prefix Aggregation
137 8.5 NetFlow Prefix Aggregation
138 8.6 NetFlow Destination (Catalyst switches)
139 8.7 NetFlow Source Destination (Catalyst switches)
140 8.8 NetFlow Full Flow (Catalyst switches)
141 8.9 NetFlow ToS AS Aggregation
142 8.10 NetFlow ToS Proto Port Aggregation
143 8.11 NetFlow ToS Source Prefix Aggregation
144 8.12 NetFlow ToS Destination Prefix Aggregation
145 8.13 NetFlow ToS Prefix Aggregation
146 8.14 NetFlow ToS Prefix Port Aggregation
147 1005 Flow-Tools tagged version 5
148
149 -w workdir
150 Work in workdir.
151
152 -x xlate_fname
153 Translation config file name. Defaults to /var/flow-
154 tools/cfg/xlate.c fg
155
156 -X xlate_definition
157 Translation definition. Defaults to default.
158
159 -z z_level
160 Configure compression level to z_level. 0 is disabled (no
161 compression), 9 is highest compression.
162
164 Receive flows from the exporter at 10.0.0.1 port 9800. Maintain 5
165 Gigabytes of flow files in /flows/krc4. Mask the source and destina‐
166 tion IP addresses contained in the flow exports with 255.255.248.0.
167
168 flow-capture -w /flows/krc4 -m 255.255.248.0 -E5G 0/10.0.0.1/9800
169
170 Receive flows from any exporter on port 9800. Do not perform any flow
171 file space management. Store the exports in /flows/krc4. Emit a stat
172 log message every 5 minutes.
173
174 flow-capture -w /flows/krc4 0/0/9800 -S5
175
177 Empty directories are not removed.
178
180 Configuration files:
181 Tag - /var/flow-tools/cfg/tag.cfg.
182 Filter - /var/flow-tools/cfg/filter.cfg.
183 Xlate - /var/flow-tools/cfg/xlate.cfg.
184
186 Mark Fullmer maf@splintered.net
187
189 flow-tools(1)
190
191
192
193 flow-capture(1)