flow-capture(1)

1FLOW-CAPTURE(1)                                                FLOW-CAPTURE(1)
2
3
4

NAME

6       flow-capture  -  Manage  storage  of flow file archives by expiring old
7       data.
8

SYNOPSIS

10       flow-capture [ -hu ]   [  -b  big|little  ]   [  -C  comment  ]   [  -c
11       flow_clients ]  [ -d debug_level ]  [ -D daemonize ]  [ -e expire_count
12       ]  [ -f filter_fname ]  [ -F filter_definition ]  [ -E expire_size ]  [
13       -n  rotations ]  [ -N nesting_level ]  [ -p pidfile ]  [ -R rotate_pro‐
14       gram  ]   [  -S   stat_interval   ]    [   -t   tag_fname   ]    [   -T
15       active_def|active_def,active_def... ]  [ -V pdu_version ]  [ -z z_level
16       ]   -w  workdir  [  -x  xlate_fname  ]    [   -X   xlate_definition   ]
17       localip/remoteip/port
18

DESCRIPTION

20       The  flow-capture  utility  will  receive  and store NetFlow exports to
21       disk. The flow files are rotated rotationstimes per day and  expiration
22       of  old  flow files can be configured by number of files or total space
23       utilization. Files are stored in workdir and can optionally  be  stored
24       in  additional levels of directories. Active files created by flow-cap‐
25       ture begin with 'tmp'. Files that are complete begin with 'ft'.
26
27       When the remoteip is configured only flows from that exporter  will  be
28       processed,  this is the most secure and recommended configuration. When
29       the localip is configured flow-capture will only process flows sent  to
30       the   localip  IP address. If remoteip is 0 (not configured) flows from
31       any source IP address are accepted. Multiple non  aggregated  PDU  ver‐
32       sions  may be accepted at once to support Cisco's Catalyst 6500 NetFlow
33       implementation which exports from both the supervisor and MSFC with the
34       same  IP  address  and same port but different export versions. In this
35       case the exports will be stored in the format specified by  pdu_version
36       or whichever export type is received first.
37
38       NetFlow  exports  are  UDP  and  do  not employ congestion control or a
39       retransmission mechanism. If the server flow-capture is  configured  on
40       is  too busy, or the network is congested or lossy NetFlow exports will
41       be lost. An estimate of lost flows is recorded in the flow  files,  and
42       logged via syslog. Most servers will provide a count of dropped packets
43       due to full socket buffers via the netstat utility.  For  example  net‐
44       stat  -s | grep full will provide a count of UDP packets dropped due to
45       full socket buffers. If this is a persistent  occurrence  either  flow-
46       capture  will  need  a larger server or the compression level should be
47       decreased with -z.
48
49       A SIGHUP signal will cause flow-capture to close the current  file  and
50       create a new one.
51
52       A  SIGQUIT  or SIGTERM signal will cause flow-capture to close the cur‐
53       rent file and exit.
54

OPTIONS

56       -b big|little
57              Byte order of output.
58
59       -c flow_clients
60              Enable flow_clients TCP clients. When libwrap is  available  the
61              client  must  be  in a permit list for the service flow-capture-
62              client.
63
64       -C Comment
65              Add a comment.
66
67       -d debug_level
68              Enable debugging.
69
70       -e expire_count
71              Retain the maximum number of files so that the total file  count
72              is less than expire_count. Defaults to 0 (do not expire).
73
74       -E expire_size
75              Retain  the maximum number of files so that the total storage is
76              less than expire_size. The letters b,K,M,G can be used as multi‐
77              pliers, ie 16 Megabytes is 16M. Default to 0 (do not expire).
78
79       -f filter_fname
80              Filter list filename. Defaults to /etc/flow-tools/cfg/filter.
81
82       -F filter_definition
83              Select the active definition. Defaults to default.
84
85       -h     Display help.
86
87       -n rotations
88              Configure  the  number  of  times flow-capture will create a new
89              file per day.  The default is 95, or every 15 minutes.
90
91       -N nesting_level
92              Configure the nesting level for storing flow files. The  default
93              is  0.  -3 YYYY/YYYY-MM/YYYY-MM-DD/flow-file -2 YYYY-MM/YYYY-MM-
94              DD/flow-file -1 YYYY-MM-DD/flow-file 0  flow-file  1  YYYY/flow-
95              file  2  YYYY/YYYY-MM/flow-file  3 YYYY/YYYY-MM/YYYY-MM-DD/flow-
96              file
97
98       -p pidfile
99              Configure the process ID file. Use - to disable  pid  file  cre‐
100              ation.
101
102       -R rotate_program
103              Execute  rotate_program with the first argument as the flow file
104              name after rotating it.
105
106       -S stat_interval
107              When configured flow-capture  will  log  a  timestamped  message
108              every stat_interval minutes indicating counters such as the num‐
109              ber of flows received, packets processed, and lost flows.
110
111       -t tag_fname
112              Load tags from tag_name
113
114       -T active_def|active_def,active_def...
115              Use active_def as the active tag definition(s).
116
117       -u     Preserve inherited umask. By default the umask will  be  set  to
118              0022.
119
120       -V pdu_version
121              Use pdu_version format output.
122
123                  1    NetFlow version 1 (No sequence numbers, AS, or mask)
124                  5    NetFlow version 5
125                  6    NetFlow version 6 (5+ Encapsulation size)
126                  7    NetFlow version 7 (Catalyst switches)
127                  8.1  NetFlow AS Aggregation
128                  8.2  NetFlow Proto Port Aggregation
129                  8.3  NetFlow Source Prefix Aggregation
130                  8.4  NetFlow Destination Prefix Aggregation
131                  8.5  NetFlow Prefix Aggregation
132                  8.6  NetFlow Destination (Catalyst switches)
133                  8.7  NetFlow Source Destination (Catalyst switches)
134                  8.8  NetFlow Full Flow (Catalyst switches)
135                  8.9  NetFlow ToS AS Aggregation
136                  8.10 NetFlow ToS Proto Port Aggregation
137                  8.11 NetFlow ToS Source Prefix Aggregation
138                  8.12 NetFlow ToS Destination Prefix Aggregation
139                  8.13 NetFlow ToS Prefix Aggregation
140                  8.14 NetFlow ToS Prefix Port Aggregation
141                  1005 Flow-Tools tagged version 5
142
143
144       -w workdir
145              Work in workdir.
146
147       -x xlate_fname
148              Translation   config   file   name.   Defaults   to   /etc/flow-
149              tools/cfg/xlate.c fg
150
151       -X xlate_definition
152              Translation definition. Defaults to default.
153
154       -z z_level
155              Configure compression level to  z_level. 0 is disabled (no  com‐
156              pression), 9 is highest compression.
157

EXAMPLES

159       Receive flows from the exporter at 10.0.0.1 port 9800. Maintain 5 Giga‐
160       bytes of flow files in /flows/krc4. Mask the source and destination  IP
161       addresses contained in the flow exports with 255.255.248.0.
162
163       flow-capture -w /flows/krc4 -m 255.255.248.0 -E5G 0/10.0.0.1/9800
164
165       Receive  flows  from any exporter on port 9800. Do not perform any flow
166       file space management. Store the exports in /flows/krc4.  Emit  a  stat
167       log message every 5 minutes.
168
169       flow-capture -w /flows/krc4 0/0/9800 -S5
170

BUGS

172       Empty directories are not removed.
173

FILES

175       Configuration  files:  Tag  -  /etc/flow-tools/cfg/tag.cfg.   Filter  -
176       /etc/flow-tools/cfg/filter.cfg.  Xlate - /etc/flow-tools/cfg/xlate.cfg.
177

AUTHOR

179       Mark Fullmer <maf@splintered.net>
180