1sfcapd(1) sfcapd(1)
2
6 sfcapd - sflow capture daemon
7
9 sfcapd [options]
10
12 sfcapd is the sflow capture daemon of the nfdump tools. It reads sflow
13 data from the network and stores it into nfcapd compatible files. The
14 output file is automatically rotated and renamed every n minutes - typ‐
15 ically 5 min - according the timestamp YYYYMMddhhmm of the interval
16 e.g. nfcapd.200407110845 contains the data from July 11th 2004 08:45
17 onward. sfcapd supports sFlow version 4 and 5 datagrams.
18 Sflow is an industry standard developed by InMon Corporation. For more
20 information see http://sflow.org.
21
23 -p portnum
24 Specifies the port number to listen. Default port is 6343
25 -b bindhost
27 Specifies the hostname/IPv4/IPv6 address to bind for listening. Can
28 be an IP address or a hostname, resolving to an IP address attached
29 to an interface. Defaults to any available IPv4 interface, if not
30 specified.
31 -4 Forces sfcapd to listen on IPv4 addresses only. Can be used together
33 with -b if a hostname has an IPv4 and IPv6 address record. Depending
34 on the socket implementation -6 also accepts IPv4 data.
35 -6 Forces sfcapd to listen on IPv6 addresses only. Can be used together
37 with -b if a hostname has an IPv4 and IPv6 address record.
38 -j MulticastGroup
40 Join the specified IPv6 or IPv6 multicast group for listening.
41 -R host[/port}
43 Enable packet repeater. Send all incoming packets to another host
44 and port. host is either a valid IPv4/IPv6 address, or a valid sim‐
45 bolic hostname, which resolves to a IPv6 or IPv4 address. port may
46 be omitted and defaults to port 6343. Note: Due to IPv4/IPv6
47 accepted addresses the port separator is '/'. Up to 8 repeaters my
48 be defined.
49 -I IdentString ( capital letter i )
51 Specifies an ident string, which describes the source e.g. the name
52 of the router. This string is put into the stat record to identify
53 the source. Default is 'none'. This is for compatibility with nfdump
54 1.5.x and used to specify a single sflow source. See -n
55 -l base_directory ( letter ell )
57 Specifies the base directory to store the output files. If a sub
58 hierarchy is specified with -S the final directory is concatenated
59 to base_directory/sub_hierarchy. This is for compatibility with
60 nfdump 1.5.x and used to specify a single sflow source. See -n
61 -n <Ident,IP,base_directory>
63 Configures an sflow source named Ident and identified by source IP
64 address IP. The base directory for the flow files is base_direc‐
65 tory. If a sub hierarchy is specified with -S the final directory is
66 concatenated to base_directory/sub_hierarchy. Multiple netflow
67 sources can be specified. All data is sent to the same port speci‐
68 fied by -p. Note: You must not mix -n option with -I and -l. Use
69 either syntax.
70 -f <pcap_file>
72 Read sflow packets from a give pcap_file instead of the network.
73 This requires sfcapd to be compiled with the pcap option and is
74 intended for debugging only.
75 -S <num>
77 Allows to specify an additional directory sub hierarchy to store the
78 data files. The default is 0, no sub hierarchy, which means the
79 files go directly in the base directory (-l). The base directory
80 (-l) is concatenated with the specified sub hierarchy format to form
81 the final data directory. The following hierarchies are defined:
82 0 default no hierarchy levels
83 1 %Y/%m/%d year/month/day
84 2 %Y/%m/%d/%H year/month/day/hour
85 3 %Y/%W/%u year/week_of_year/day_of_week
86 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
87 5 %Y/%W/%u year/week_of_year/day_of_week
88 6 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
89 7 %Y/%j year/day-of-year
90 8 %Y/%j/%H year/day-of-year/hour
91 9 %Y-%m-%d year-month-day
92 10 %Y-%m-%d/%H year-month-day/hour
93 -T <extension list>
95 Specifies the list of extensions, to be stored in the flow file.
96 Regardless of the extension list, the following sflow data is stored
97 per record: first, last, fwd status, tcp flags, proto, (src)tos, src
98 port, dst port, src ipaddr, dst ipaddr, in(packets), in(bytes). In
99 addition sfcapd recognises the extensions as described below.
100 Extensions:
102 sflow extensions:
103 1 input/output interface SNMP numbers.
104 2 src/dst AS numbers.
105 3 src/dst mask, (dst)TOS, direction,
106 4 Next hop IP addr
107 5 BGP next hop IP addr
108 6 src/dst vlan id labels
109 10 in_src/out_dst MAC address
110 By default extension 1 and 2 are selected, which provides compati‐
111 bility with earlier nfdump version. Extensions can be
112 added/deleted by specifying a ',' separated list of extension ids.
113 Each id may be prepended by an optional sign +/- to add or remove a
114 given id from the extension list. The string 'all' means all exten‐
115 sions. Extensions 7-9 are not available for sfcapd.
116 Examples:
117 -T all Enables all possible extensions.
118 -T +3,+4 Adds extensions 3 and 4 to the defaults 1 and 2.
119 -T all,-5,-6 Set all extensions but 5 and 6
120 -T -1,4 Removes default extension 1 and adds extension 4
121 Note: Extensions are shared with the netflow collector nfcapd.
122 Sflow as well as netflow data is stored in the same type of exten‐
123 sions.
124 -t interval
126 Specifies the time interval in seconds to rotate files. The default
127 value is 300s ( 5min ).
128 -w Align file rotation with next n minute ( specified by -t ) interval.
130 Example: If interval is 5 min, sync at 0,5,10... wall clock minutes
131 Default: no alignment.
132 -x cmd
134 Run command cmd at the end of every interval, when a new file
135 becomes available. The following command expansion is available:
136 %f Replaced by the file name e.g nfcapd.200407110845 inluding any
137 sub hierarchy. ( 2004/07/11/nfcapd.200407110845 )
138 %d Replaced by the directory where the file is located.
139 %t Replaced by the time ISO format e.g. 200407110845.
140 %u Replaced by the UNIX time format.
141 %i Replaced ident string given by -I
142 -e Auto expire files at every cycle. max lifetime and max filesize are
144 defined using nfexpire(1)
145 -P pidfile
147 Specify name of pidfile. Default is no pidfile.
148 -D Daemon mode: fork to background and detach from terminal. Nfcapd
150 terminates on signal TERM, INT and HUP.
151 -u userid
153 Change to the user userid as soon as possible. Only root is allowed
154 to use this option.
155 -g groupid
157 Change to the group groupid as soon as possible. Only root is
158 allowed use this option.
159 -B bufflen
161 Specifies the socket input buffer length in bytes. For high volume
162 traffic ( near GB traffic ) it is recommended to set this value as
163 high as possible ( typically > 100k ), otherwise you risk to lose
164 packets. The default is OS ( and kernel ) dependent.
165 -E Print data records in nfdump raw format to stdout. This option is
167 for debugging purpose only, to see how incoming sflow data is pro‐
168 cessed and stored.
169 -j Compress flows. Use bz2 compression in output file. Note: not recom‐
171 mended while collecting
172 -z Compress flows. Use fast LZO1X-1 compression in output file.
174 -V Print sfcapd version and exit.
176 -h Print help text to stdout with all options and exit.
178
180 Returns 0 on success, or 255 if initialization failed.
181
183 sfcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON For normal opera‐
184 tion level 'warning' should be fine. More information is reported at
185 level 'info' and 'debug'.
186 A small statistic about the collected flows, as well as errors are
188 reported at the end of every interval to syslog with level 'info'.
189
191 Compatible with old sfcapd 1.5.x:
192 sfcapd -w -D -l /data/spool/router1 -p 6343 -B 128000 -I router1
193 -x '/path/some_app -r %d/%f' -P /var/run/sfcapd/sfcapd.router1
194 Selectively enabled sender:
196 sfcapd -Tall -w -D -n router1,192.168.1.10,/data/spool/router1
197 -p 6343 -B 128000 -P /var/run/sfcapd/sfcapd.router1
198
200 sfcapd automatically scales the packets and bytes according the sam‐
201 pling rate.
202 Even with sflow version 4 and 5 support, not all available sflow ele‐
204 ments are stored in the data files. As of this version, sfcpad supports
205 the the same shared fields as extensions, as it's netflow companion
206 nfcapd for netflow version v9. See nfcapd(1). More fields will be sup‐
207 ported in future.
208 The format of the data files is version independent and compatible
210 nfcapd collected data.
211 Socket buffer: Setting the socket buffer size is system dependent.
213 When starting up, sfcapd returns the number of bytes the buffer was
214 actually set. This is done by reading back the buffer size and may dif‐
215 fer from what you requested.
216
218 nfcapd(1), nfdump(1), nfprofile(1), nfreplay(1)
219 2009-09-09 sfcapd(1)