1nfpcapd(1)                                                          nfpcapd(1)
2
3
4

NAME

6       nfpcapd - pcap capture to netflow daemon
7

SYNOPSIS

9       nfpcapd [options]
10

DESCRIPTION

12       nfpcapd  is  the pcap capture daemon of the nfdump tools. It reads net‐
13       work packets from an interface or from a file and directly creates  nf‐
14       dump  records. Nfdump records are written either locally to a directory
15       in the same format as nfcapd, or can be forwarded to a nfcapd collector
16       somwhere  else  in  the  network.  Nfpcapd is nfcapd's pcap brother and
17       shares many options and generates the same type of files. nfpcapd like‐
18       wise creates, rotates and stores files. See also nfpcap(1) for more in‐
19       formation on common option.
20
21       nfpcapd optionally also stores pcap traffic data in separate files  and
22       uses  the  same rotation interval as for the netflow data. Storing pcap
23       traffic data file is only possible locally.
24
25       nfpcapd is multithreaded and uses separate threads for packet,  netflow
26       and pcap processing.
27

OPTIONS

29       -i interface
30          Listen on this interface in promisc mode for packet processing.
31
32       -r file
33          Read and process packets from this file. This file is a pcap compat‐
34          ible file
35
36       -s snaplen
37          Limit the snaplen on collected packets. The default is  1522  bytes.
38          The  snaplen needs to be large enough to process all required proto‐
39          cols. The snaplen must not be smaller than 54 bytes.
40
41       -B cachesize
42          Sets the number of initial cache nodes required by the  flow  cache.
43          By  default  the  cache size is set to 512k nodes should be fine. If
44          the cache runs out of nodes, new nodes are dynamically added.
45
46       -e active,inactive
47          Sets the active and inactive flow expire values in  s.  The  default
48          ist 300,60.
49          Active  timeout:  A flow gets flushed to disk after this period even
50          if it is still active. As a rule of thumb, it should correspond with
51          the  -t rotation value, in order to reflect continous traffic in the
52          flow files.
53          Inactive timeout: A flow gets flushed to disk after  being  inactive
54          for this number of seconds. It frees up node recources.
55          On  busy  networks  these values can be set to more aggressive time‐
56          outs.
57
58       -I IdentString ( capital letter i )
59          Specifies an ident string, which describes the source e.g. the  name
60          of the interface or host. This string is put into the stat record to
61          identify the source. Default is 'none'. Same is nfcapd(1)
62
63       -l flowdir ( letter ell )
64          Specifies the base directory to store the flow files.  If a sub  hi‐
65          erarchy  is specified with -S the final directory is concatenated to
66          base_directory/sub_hierarchy.
67
68       -p pcapdir
69          Store network packets in pcap compatible files in this directory and
70          rotate  files  the same as the flow files. Sub hierarchy directories
71          are applied likewise.
72
73       -H <host[/port]>
74          Send nfdump records to a remote nfcapd collector.  Default  port  is
75          9995.
76
77       -S <num>
78          Allows to specify an additional directory sub hierarchy to store the
79          data files. The default is 0, no  sub  hierarchy,  which  means  the
80          files  go  directly  in  the base directory (-l). The base directory
81          (-l) is concatenated with the specified sub hierarchy format to form
82          the  final  data  directory.  For a full list of hierarchies see nf‐
83          capd(1).
84
85       -t interval
86          Specifies the time interval in seconds to rotate files. The  default
87          value  is 300s ( 5min ). The smallest interval can be set to 2s. The
88          intervalls are in sync with wall clock.
89
90       -P pidfile
91          Specify name of pidfile. Default is no pidfile.
92
93       -D Daemon mode: fork to background and detach from  terminal.   Nfpcapd
94          terminates on signal TERM, INT and HUP.
95
96       -E Verbose  flow printing. Print flows on stdout, when flushed to disk.
97          Use verbose printing only for debugging purpose in oder  to  see  if
98          your  setup works. Running nfpcapd in verbose mode limits processing
99          bandwith!
100
101       -u userid
102          Change to the user userid as soon as possible. Only root is  allowed
103          to  use  this  option. Uid/Gid is switched after opening the reading
104          device.
105
106       -g groupid
107          Change to the group groupid as soon as possible. Only  root  is  al‐
108          lowed use this option. Uid/Gid is switched after opening the reading
109          device.
110
111       -o option[,option]
112          Adds options to nfpcapd. Two options are available:
113          fat       Add Mac addresses, optional Vlan and MPLS labels.
114          payload   Add the payload bytes of the first packet of a connection.
115
116       -j Compress flows. Use bz2 compression in output file. Note: not recom‐
117          mended while collecting
118
119       -y Compress flows. Use LZ4 compression in output file.
120
121       -z Compress flows. Use fast LZO1X-1 compression in output file.
122
123       -V Print nfpcapd version and exit.
124
125       -h Print help text to stdout with all options and exit.
126
127       '<filter>'
128          Optional  pcap  compatible packet filter. The filter needs to be put
129          within quotes.
130

RETURN VALUE

132       Returns 0 on success, or 255 if initialization failed.
133

LOGGING

135       nfpcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON.  For normal op‐
136       eration  level 'error' should be fine.  More information is reported at
137       level 'info'.
138
139       A small statistic about the collected flows, as well as errors are  re‐
140       ported at the end of every interval to syslog with level 'info'.
141

EXAMPLES

143       Read packets from interface eth0
144              nfpcapd  -i  eth0  -j  -D  -l  /netflow/flows  -S  2  -I  any -P
145              /var/run/nfpcapd.pid
146
147       Read packets from interface mx0 and store also packets in pcap files.
148              nfpcapd -i vmx0 -j -D -l /netflow/flows -p /netflow/caps
149
150       Send records to a remote host
151              nfpcapd -i eth1 -H 192.168.200.10/12344 -D -e 60,20
152

NOTES

154       nfpcapd can store records either locally or send it to  a  remote  host
155       but not both at the same time.
156       If  records  are  sent to a remote nfcapd process, both programs nfcapd
157       and nfpcapd must be of the same endian architecture (both big or little
158       endian). nfpcapd uses netflow version 240 for sending flows.
159
160       The  flow  cache is checked in regular 10s intervalls and expires flows
161       according to the expire values. Expired flows are flushed and processed
162       and nodes are freed up.
163
164       A  smaller  snaplen  may improve performance, but may result in loss of
165       information.  The smallest snaplen of  54  bytes  can  process  regular
166       TCP/UDP/ICMP packets. In case of Vlan or MPLS labels, not enough infor‐
167       mation may be abailable for correct protocol decoding.  Nfdump  records
168       may be incomplete and and set to 0.
169
170       If  IP  packets are fragmented, they are reassembled before processing.
171       All IP fragments need to be reassembled in order to be  passed  to  the
172       next  stage.  If  not all fragments are correctly assembled withing 15s
173       since the first fragment arrived, all fragments are discarded.
174
175

SEE ALSO

177       nfcapd(1), nfdump(1), nfexpire(1)
178

BUGS

180       No software without bugs! Please report any bugs back to me.
181
182
183
184                                  2021-05-23                        nfpcapd(1)
Impressum