1nfcapd(1) nfcapd(1)
2
6 nfcapd - netflow capture daemon
7
9 nfcapd [options]
10
12 nfcapd is the netflow capture daemon of the nfdump tools. It reads net‐
13 flow data from the network and stores it into files. The output file is
14 automatically rotated and renamed every n minutes - typically 5 min -
15 according the timestamp YYYYMMddhhmm of the interval e.g.
16 nfcapd.201907110845 contains the data from July 11th 2019 08:45 onward.
17 If the time interval is smaller then 60s, the naming extends to seconds
18 e.g. nfcapd.20190711084510.
19 Netflow version v1, v5, v7 and v9 and IPFIX are transparently sup‐
22 ported.
23 Extensions: nfcapd supports a large number of v9 tags. In order to
25 optimise disk space and performance, v9 tags are grouped into a number
26 of extensions which may or may not be stored into the data file. There‐
27 fore the v9 templates configured on the exporter may be tuned according
28 the collector. Only those tags common to both are stored into the data
29 files.
30 Sampling: By default, the sampling rate is set to 1 (unsampled) or to
32 any given value specified by the -s cmd line option. If sampling infor‐
33 mation is found in the netflow stream, it overwrites the default value.
34 Sampling is automatically recognised when announced in v9 option tem‐
35 plates (tags #34, #35 or #48, #49, #50 ) or in the unofficial v5 header
36 hack. Note: Not all platforms (or IOS/JunOS versions) support export‐
37 ing sampling information in netflow data, even if sampling is config‐
38 ured. The number of bytes/packets in each netflow record is automati‐
39 cally multiplied by the sampling rate. The total number of flows is
40 not changed as this is not accurate enough. (Small flows versus large
41 flows) If the default sampling rate given by -s is negative, this will
42 hard overwrite any device specific announced sampling rates.
43 NSEL/ASA Support: nfcapd can be compiled with NSEL/ASA support
45 included. See notes on NSEL/ASA
46 NEL (NAT Event logging): nfcapd can be compiled with CISCO NEL support
48 included. See notes on NEL.
49
51 -p portnum
52 Specifies the port number to listen. Default port is 9995
53 -b bindhost
55 Specifies the hostname/IPv4/IPv6 address to bind for listening. This
56 can be an IP address or a hostname, resolving to an IP address
57 attached to an interface. Defaults to any available IPv4 interface,
58 if not specified.
59 -4 Forces nfcapd to listen on IPv4 addresses only. Can be used together
61 with -b if a hostname has an IPv4 and IPv6 address record.
62 -6 Forces nfcapd to listen on IPv6 addresses only. Can be used together
64 with -b if a hostname has an IPv4 and IPv6 address record. Depending
65 on the socket implementation -6 also accepts IPv4 data.
66 -J MulticastGroup
68 Join the specified IPv4 or IPv6 multicast group for listening.
69 -R host[/port}
71 Enable packet repeater. Send all incoming packets to another host
72 and port. host is either a valid IPv4/IPv6 address, or a valid sym‐
73 bolic hostname, which resolves to a IPv6 or IPv4 address. port may
74 be omitted and defaults to port 9995. Note: Due to IPv4/IPv6
75 accepted addresses the port separator is '/'. Up to 8 repeaters my
76 be defined.
77 -I IdentString ( capital letter i )
79 Specifies an ident string, which describes the source e.g. the name
80 of the router. This string is put into the stat record to identify
81 the source. Default is 'none'. This is for compatibility with nfdump
82 1.5.x and used to specify a single netflow source. See -n
83 -l base_directory ( letter ell )
85 Specifies the base directory to store the output files. If a sub
86 hierarchy is specified with -S the final directory is concatenated
87 to base_directory/sub_hierarchy. This is for compatibility with
88 nfdump 1.5.x and used to specify a single netflow source. See -n
89 -n <Ident,IP,base_directory>
91 Configures a netflow source named Ident and identified by source IP
92 address IP. The base directory for the flow files is base_direc‐
93 tory. If a sub hierarchy is specified with -S the final directory is
94 concatenated to base_directory/sub_hierarchy. Multiple netflow
95 sources can be specified. All data is sent to the same port speci‐
96 fied by -p. Note: You must not mix -n option with -I and -l. Use
97 either syntax.
98 -M <dynbase_directory>
100 Specifies the base directory to store the output files. In contrast
101 to -l -M allows to add dynamically new flow sources (exporters), as
102 they appear. All exporters send netflow data to the same port and
103 IP. For each dynamically added source, a new directory is created
104 with the name of the IPv4/IPv6 address of the exporter. All '.' and
105 ':" in IP addresses are replaced be '-' e.g. 10.11.12.13 is con‐
106 verted to the directory name 10-11-12-13. Note: Please make sure to
107 restrict at host level the potential range of IP addresses which are
108 allowed to connect to nfcapd. Otherwise you risk a potential DoS
109 attack on nfcapd, as nfcapd has no built in restrictions.
110 -f <pcap_file>
112 Read netflow packets from a give pcap_file instead of the network.
113 This requires nfcapd to be compiled with the pcap option and is
114 intended for debugging only.
115 -s <rate>
117 Apply default sampling rate rate to all netflow records, unless the
118 sampling rate is announced by the exporting device. In that case the
119 announced sampling rate is applied. If <rate> is negative, this will
120 hard overwrite any device specific announced sampling rates.
121 -S <num>
123 Allows to specify an additional directory sub hierarchy to store the
124 data files. The default is 0, no sub hierarchy, which means the
125 files go directly in the base directory (-l). The base directory
126 (-l) is concatenated with the specified sub hierarchy format to form
127 the final data directory. The following hierarchies are defined:
128 0 default no hierarchy levels
129 1 %Y/%m/%d year/month/day
130 2 %Y/%m/%d/%H year/month/day/hour
131 3 %Y/%W/%u year/week_of_year/day_of_week
132 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
133 5 %Y/%j year/day-of-year
134 6 %Y/%j/%H year/day-of-year/hour
135 7 %Y-%m-%d year-month-day
136 8 %Y-%m-%d/%H year-month-day/hour
137 -T <extension list>
139 Specifies the list of extensions, to be stored in the netflow file.
140 Regardless of the extension list, the following netflow data is
141 stored per record: first, last, fwd status, tcp flags, proto,
142 (src)tos, src port, dst port, src ipaddr, dst ipaddr, in(packets),
143 in(bytes). In addition nfcapd recognises the extensions as described
144 below. Some are valid for v5/v7/v9, but most of them make only sense
145 for v9. Any specified extensions which do not exist in the input
146 netflow records are ignored.
147 Extensions:
149 v5/v7/v9/IPFIX extensions:
150 1 input/output interface SNMP numbers.
151 2 src/dst AS numbers.
152 3 src/dst mask, (dst)TOS, direction.
153 4 line Next hop IP addr line
154 5 line BGP next hop IP addr line
155 6 src/dst vlan id labels
156 7 counter output packets
157 8 counter output bytes
158 9 counter aggregated flows
159 10 in_src/out_dst MAC address
160 11 in_dst/out_src MAC address
161 12 MPLS labels 1-10
162 13 Exporting router IPv4/IPv6 address
163 14 Exporting router ID
164 15 BGP adjacent prev/next AS
165 16 time stamp flow received by the collector
166 NSEL/ASA/NAT extensions
167 26 NSEL ASA event, xtended event, ICMP type/code
168 27 NSEL/NAT xlate ports
169 28 NSEL/NAT xlate IPv4/IPv6 addr
170 29 NSEL ASA ACL ingress/egress acl ID
171 30 NSEL ASA username
172 NEL/NAT extensions
173 31 NAT event, ingress egress vrfid
174 32 NAT Block port allocation - block start, end step and size
175 latency extension
176 64 nfpcapd/nprobe client/server/application latency"},
177 IMPORTANT: By default only extension 1 and 2 are selected Exten‐
179 sions can be added/deleted by specifying a ',' separated list of
180 extension ids. Each id may be prepended by an optional sign +/- to
181 add or remove a given id from the extension list. Shortcuts: The
182 string 'all' means all extensions. The strings
183 'nsel' and 'nel' enable all NSEL or NEL extensions respectively.
184 Examples:
186 -T all Enables all possible extensions.
187 -T +3,+4 Adds extensions 3 and 4 to the defaults 1 and 2.
188 -T all,-8,-9 Set all extensions but 8 and 9
189 -T -1,4 Removes default extension 1 and adds extension 4
190 -T nsel Enables all required ASA?NSEL extensions
191 -T nel Enables all required nell extensions
192 Note: Only those tags in common with the exporting device and
193 enabled extensions at the collector side are stored into the data
194 files. A detailed list which v9 tags are mapped into which exten‐
195 sions is given in the section NOTES
196 -t interval
198 Specifies the time interval in seconds to rotate files. The default
199 value is 300s ( 5min ). The smallest interval is 2s.
200 -w Align file rotation with next n minute ( specified by -t ) interval.
202 Example: If interval is 5 min, sync at 0,5,10... wall clock minutes
203 Default: no alignment.
204 -x cmd
206 Run command cmd at the end of every interval, when a new file
207 becomes available. The following command expansion is available:
208 %f Replaced by the file name e.g nfcapd.200907110845 inluding any
209 sub hierarchy. ( 2009/07/11/nfcapd.200907110845 )
210 %d Replaced by the directory where the file is located.
211 %t Replaced by the time ISO format e.g. 200907110845.
212 %u Replaced by the UNIX time format.
213 %i Replaced ident string given by -I
214 -X Collect and embed extended statistics. Currently a port and bpp his‐
216 togram is embedded. Mostly experimental for now
217 -e Auto expire files at every cycle. max lifetime and max filesize are
219 defined using nfexpire(1)
220 -P pidfile
222 Specify name of pidfile. Default is no pidfile.
223 -D Daemon mode: fork to background and detach from terminal. Nfcapd
225 terminates on signal TERM, INT and HUP.
226 -u userid
228 Change to the user userid as soon as possible. Only root is allowed
229 to use this option.
230 -g groupid
232 Change to the group groupid as soon as possible. Only root is
233 allowed use this option.
234 -B bufflen
236 Specifies the socket input buffer length in bytes. For high volume
237 traffic ( near GB traffic ) it is recommended to set this value as
238 high as possible ( typically > 100k ), otherwise you risk to lose
239 packets. The default is OS ( and kernel ) dependent.
240 -E Print netflow records in nfdump raw format to stdout. This option is
242 for debugging purpose only, to see how incoming netflow data is pro‐
243 cessed and stored.
244 -j Compress flows. Use bz2 compression in output file. Note: not recom‐
246 mended while collecting
247 -y Compress flows. Use LZ4 compression in output file.
249 -z Compress flows. Use fast LZO1X-1 compression in output file.
251 -V Print nfcapd version and exit.
253 -h Print help text to stdout with all options and exit.
255
257 Returns 0 on success, or 255 if initialization failed.
258
260 nfcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON For normal opera‐
261 tion level 'warning' should be fine. More information is reported at
262 level 'info' and 'debug'.
263 A small statistic about the collected flows, as well as errors are
265 reported at the end of every interval to syslog with level 'info'.
266
268 All flows are sent to port 9995 from all exporters and stored into a
269 single file. All known v9 tags are taken.
270 nfcapd -z -w -D -T all -l /netflow/spool/allflows -I any -S 2 -P
271 /var/run/nfcapd.allflows.pid
272 All flows from 2 different exporters are sent to port 8877 and stored
274 in separate directory trees. All known v9 tags are taken. Input buffer
275 size is set to 128000 bytes
276 nfcapd -z -w -D -T all -p 8877 -n upstream,192.168.1.1,/net‐
277 flow/spool/upstream -n peer,192.168.2.1,/netflow/spool/peer -S 2
278 -B 128000
279 Only accept from from a single exporter and only extension 3,4 and 5
281 are accepted. Run a given command when files are rotated and automati‐
282 cally expire flows:
283 nfcapd -w -D -T 3,4,5 -n upstream,192.168.1.1,/net‐
284 flow/spool/upstream -p 23456 -B 128000 -s 100 -x '/path/command
285 -r %d/%f' -P /var/run/nfcapd/nfcapd.pid -e
286
288 Multiple netflow sources:
289 Netflow data may be sent from different exporters to a single nfcapd
291 process. Use the -n option to separate each netflow source to a dif‐
292 ferent data directory. For compatibility with nfdump 1.5.x, old style
293 -l/-I options are still valid. In that case all flows from all sources
294 are stored in a single file. For high volume netflow streams, it is
295 still recommended to have a single nfcapd process per netflow source.
296 The current v9 implementation of nfdump supports the following v9 ele‐
298 ments: fields:
299 v9 element v9 ID Extension
300 NF9_LAST_SWITCHED 21 default
301 NF9_FIRST_SWITCHED 22 default
302 NF9_IN_BYTES 1 default
303 NF9_IN_PACKETS 2 default
304 NF9_IN_PROTOCOL 4 default
305 NF9_SRC_TOS 5 default
306 NF9_TCP_FLAGS 6 default
307 NF9_FORWARDING_STATUS 89 default
308 NF9_IPV4_SRC_ADDR 8 default
309 NF9_IPV4_DST_ADDR 12 default
310 NF9_IPV6_SRC_ADDR 27 default
311 NF9_IPV6_DST_ADDR 28 default
312 NF9_L4_SRC_PORT 7 default
313 NF9_L4_DST_PORT 11 default
314 NF9_ICMP_TYPE 32 default
315 NF9_INPUT_SNMP 10 1
316 NF9_OUTPUT_SNMP 14 1
317 NF9_SRC_AS 16 2
318 NF9_DST_AS 17 2
319 NF9_DST_TOS 55 3
320 NF9_DIRECTION 61 3
321 NF9_SRC_MASK 9 3
322 NF9_DST_MASK 13 3
323 NF9_IPV6_SRC_MASK 29 3
324 NF9_IPV6_DST_MASK 30 3
325 NF9_V4_NEXT_HOP 15 4
326 NF9_V6_NEXT_HOP 62 4
327 NF9_BGP_V4_NEXT_HOP 18 5
328 NF9_BPG_V6_NEXT_HOP 63 5
329 NF9_SRC_VLAN 58 6
330 NF9_DST_VLAN 59 6
331 NF9_OUT_PKTS 24 7
332 NF9_OUT_BYTES 23 8
333 NF9_FLOWS_AGGR 3 9
334 NF9_IN_SRC_MAC 56 10
335 NF9_OUT_DST_MAC 57 10
336 NF9_IN_DST_MAC 80 11
337 NF9_OUT_SRC_MAC 81 11
338 NF9_MPLS_LABEL_1 70 12
339 NF9_MPLS_LABEL_2 71 12
340 NF9_MPLS_LABEL_3 72 12
341 NF9_MPLS_LABEL_4 73 12
342 NF9_MPLS_LABEL_5 74 12
343 NF9_MPLS_LABEL_6 75 12
344 NF9_MPLS_LABEL_7 76 12
345 NF9_MPLS_LABEL_8 77 12
346 NF9_MPLS_LABEL_9 78 12
347 NF9_MPLS_LABEL_10 79 12
348 NF9_SAMPLING_INTERVAL 34 Sampling
349 NF9_SAMPLING_ALGORITHM 35 Sampling
350 NF9_FLOW_SAMPLER_ID 48 Sampling
351 FLOW_SAMPLER_MODE 49 Sampling
352 NF9_FLOW_SAMPLER_RANDOM_INTERVAL 50 Sampling
353 IP addr of exporting router 13
354 NF9_ENGINE_TYPE 38 14
355 NF9_ENGINE_ID 39 14
356 NF9_BGP_ADJ_NEXT_AS 128 15
357 NF9_BGP_ADJ_PREV_AS 129 15
358 collector received timestamp 16
359 32 and 64 bit are supported for all counters. 32it AS numbers are sup‐
360 ported.
361 IPFIX support is experimental. Due to lack of implementation of sam‐
363 pling in many IPFIX exporters, sampling for IPFIX is not yet supported.
364 The format of the data files is netflow version independent.
366 Socket buffer: Setting the socket buffer size is system dependent.
368 When starting up, nfcapd returns the number of bytes the buffer was
369 actually set. This is done by reading back the buffer size and may dif‐
370 fer from what you requested.
371
373 nfdump(1), nfprofile(1), nfreplay(1)
374
376 No software without bugs! Please report any bugs back to me.
377 2009-09-09 nfcapd(1)