1sfcapd(1) sfcapd(1)
2
6 sfcapd - sflow capture daemon
7
9 sfcapd [options]
10
12 sfcapd is the sflow capture daemon of the nfdump tools. It reads sflow
13 data from the network and stores it into nfcapd compatible files. The
14 output file is automatically rotated and renamed every n minutes - typ‐
15 ically 5 min - according the timestamp YYYYMMddhhmm of the interval
16 e.g. nfcapd.201907110845 contains the data from July 11th 2019 08:45
17 onward. sfcapd supports sFlow version 4 and 5 datagrams. If the time
18 interval is smaller then 60s, the naming extends to seconds e.g.
19 nfcapd.20190711084510.
20 Sflow is an industry standard developed by InMon Corporation. For more
22 information see http://sflow.org.
23
25 -p portnum
26 Specifies the port number to listen. Default port is 6343
27 -b bindhost
29 Specifies the hostname/IPv4/IPv6 address to bind for listening. Can
30 be an IP address or a hostname, resolving to an IP address attached
31 to an interface. Defaults to any available IPv4 interface, if not
32 specified.
33 -4 Forces sfcapd to listen on IPv4 addresses only. Can be used together
35 with -b if a hostname has an IPv4 and IPv6 address record. Depending
36 on the socket implementation -6 also accepts IPv4 data.
37 -6 Forces sfcapd to listen on IPv6 addresses only. Can be used together
39 with -b if a hostname has an IPv4 and IPv6 address record.
40 -j MulticastGroup
42 Join the specified IPv6 or IPv6 multicast group for listening.
43 -R host[/port}
45 Enable packet repeater. Send all incoming packets to another host
46 and port. host is either a valid IPv4/IPv6 address, or a valid sim‐
47 bolic hostname, which resolves to a IPv6 or IPv4 address. port may
48 be omitted and defaults to port 6343. Note: Due to IPv4/IPv6
49 accepted addresses the port separator is '/'. Up to 8 repeaters my
50 be defined.
51 -I IdentString ( capital letter i )
53 Specifies an ident string, which describes the source e.g. the name
54 of the router. This string is put into the stat record to identify
55 the source. Default is 'none'. This is for compatibility with nfdump
56 1.5.x and used to specify a single sflow source. See -n
57 -l base_directory ( letter ell )
59 Specifies the base directory to store the output files. If a sub
60 hierarchy is specified with -S the final directory is concatenated
61 to base_directory/sub_hierarchy. This is for compatibility with
62 nfdump 1.5.x and used to specify a single sflow source. See -n
63 -n <Ident,IP,base_directory>
65 Configures an sflow source named Ident and identified by source IP
66 address IP. The base directory for the flow files is base_direc‐
67 tory. If a sub hierarchy is specified with -S the final directory is
68 concatenated to base_directory/sub_hierarchy. Multiple netflow
69 sources can be specified. All data is sent to the same port speci‐
70 fied by -p. Note: You must not mix -n option with -I and -l. Use
71 either syntax.
72 -N <file>
74 Specifies the file to read to add multiple netflow sources. The file
75 is expected to contain one netflow source per line based on the same
76 syntax than the -n option. Comments are not interpreted. Ident col‐
77 lision are not handled if -N is specified multiple times.
78 -f <pcap_file>
80 Read sflow packets from a give pcap_file instead of the network.
81 This requires sfcapd to be compiled with the pcap option and is
82 intended for debugging only.
83 -S <num>
85 Allows to specify an additional directory sub hierarchy to store the
86 data files. The default is 0, no sub hierarchy, which means the
87 files go directly in the base directory (-l). The base directory
88 (-l) is concatenated with the specified sub hierarchy format to form
89 the final data directory. The following hierarchies are defined:
90 0 default no hierarchy levels
91 1 %Y/%m/%d year/month/day
92 2 %Y/%m/%d/%H year/month/day/hour
93 3 %Y/%W/%u year/week_of_year/day_of_week
94 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
95 5 %Y/%W/%u year/week_of_year/day_of_week
96 6 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
97 7 %Y/%j year/day-of-year
98 8 %Y/%j/%H year/day-of-year/hour
99 9 %Y-%m-%d year-month-day
100 10 %Y-%m-%d/%H year-month-day/hour
101 -T <extension list>
103 Specifies the list of extensions, to be stored in the flow file.
104 Regardless of the extension list, the following sflow data is stored
105 per record: first, last, fwd status, tcp flags, proto, (src)tos, src
106 port, dst port, src ipaddr, dst ipaddr, in(packets), in(bytes). In
107 addition sfcapd recognises the extensions as described below.
108 Extensions:
110 sflow extensions:
111 1 input/output interface SNMP numbers.
112 2 src/dst AS numbers.
113 3 src/dst mask, (dst)TOS, direction,
114 4 Next hop IP addr
115 5 BGP next hop IP addr
116 6 src/dst vlan id labels
117 10 in_src/out_dst MAC address
118 By default extension 1 and 2 are selected, which provides compati‐
119 bility with earlier nfdump version. Extensions can be
120 added/deleted by specifying a ',' separated list of extension ids.
121 Each id may be prepended by an optional sign +/- to add or remove a
122 given id from the extension list. The string 'all' means all exten‐
123 sions. Extensions 7-9 are not available for sfcapd.
124 Examples:
125 -T all Enables all possible extensions.
126 -T +3,+4 Adds extensions 3 and 4 to the defaults 1 and 2.
127 -T all,-5,-6 Set all extensions but 5 and 6
128 -T -1,4 Removes default extension 1 and adds extension 4
129 Note: Extensions are shared with the netflow collector nfcapd.
130 Sflow as well as netflow data is stored in the same type of exten‐
131 sions.
132 -t interval
134 Specifies the time interval in seconds to rotate files. The default
135 value is 300s ( 5min ). The smallest interval can be set to 2s.
136 -w Align file rotation with next n minute ( specified by -t ) interval.
138 Example: If interval is 5 min, sync at 0,5,10... wall clock minutes
139 Default: no alignment.
140 -x cmd
142 Run command cmd at the end of every interval, when a new file
143 becomes available. The following command expansion is available:
144 %f Replaced by the file name e.g nfcapd.200407110845 inluding any
145 sub hierarchy. ( 2004/07/11/nfcapd.200407110845 )
146 %d Replaced by the directory where the file is located.
147 %t Replaced by the time ISO format e.g. 200407110845.
148 %u Replaced by the UNIX time format.
149 %i Replaced ident string given by -I
150 -e Auto expire files at every cycle. max lifetime and max filesize are
152 defined using nfexpire(1)
153 -P pidfile
155 Specify name of pidfile. Default is no pidfile.
156 -D Daemon mode: fork to background and detach from terminal. Nfcapd
158 terminates on signal TERM, INT and HUP.
159 -u userid
161 Change to the user userid as soon as possible. Only root is allowed
162 to use this option.
163 -g groupid
165 Change to the group groupid as soon as possible. Only root is
166 allowed use this option.
167 -B bufflen
169 Specifies the socket input buffer length in bytes. For high volume
170 traffic ( near GB traffic ) it is recommended to set this value as
171 high as possible ( typically > 100k ), otherwise you risk to lose
172 packets. The default is OS ( and kernel ) dependent.
173 -E Print data records in nfdump raw format to stdout. This option is
175 for debugging purpose only, to see how incoming sflow data is pro‐
176 cessed and stored.
177 -j Compress flows. Use bz2 compression in output file. Note: not recom‐
179 mended while collecting
180 -z Compress flows. Use fast LZO1X-1 compression in output file.
182 -V Print sfcapd version and exit.
184 -h Print help text to stdout with all options and exit.
186
188 Returns 0 on success, or 255 if initialization failed.
189
191 sfcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON For normal opera‐
192 tion level 'warning' should be fine. More information is reported at
193 level 'info' and 'debug'.
194 A small statistic about the collected flows, as well as errors are
196 reported at the end of every interval to syslog with level 'info'.
197
199 Compatible with old sfcapd 1.5.x:
200 sfcapd -w -D -l /data/spool/router1 -p 6343 -B 128000 -I router1
201 -x '/path/some_app -r %d/%f' -P /var/run/sfcapd/sfcapd.router1
202 Selectively enabled sender:
204 sfcapd -Tall -w -D -n router1,192.168.1.10,/data/spool/router1
205 -p 6343 -B 128000 -P /var/run/sfcapd/sfcapd.router1
206
208 sfcapd automatically scales the packets and bytes according the sam‐
209 pling rate.
210 Even with sflow version 4 and 5 support, not all available sflow ele‐
212 ments are stored in the data files. As of this version, sfcpad supports
213 the the same shared fields as extensions, as it's netflow companion
214 nfcapd for netflow version v9. See nfcapd(1). More fields will be sup‐
215 ported in future.
216 The format of the data files is version independent and compatible
218 nfcapd collected data.
219 Socket buffer: Setting the socket buffer size is system dependent.
221 When starting up, sfcapd returns the number of bytes the buffer was
222 actually set. This is done by reading back the buffer size and may dif‐
223 fer from what you requested.
224
226 nfcapd(1), nfdump(1), nfprofile(1), nfreplay(1)
227 2009-09-09 sfcapd(1)