1SFCAPD(1) BSD General Commands Manual SFCAPD(1)
3
5 sfcapd — sflow collector for sflow version v2/v4 and v5
6
8 sfcapd -w flowdir [-C config] [-z] [-y] [-j] [-D] [-u userid]
9 [-g groupid] [-S num] [-t interval] [-P pidfile] [-p port]
10 [-I ident] [-b bindhost] [-4] [-6] [-j mcastgroup] [-R repeater]
11 [-B buffsize] [-n sourceparam] [-M multiflowdir] [-i metricrate]
12 [-m metricpath] [-e] [-x command] [-E] [-v] [-V]
13
15 sfcapd reads sflow data from the network and stores the records into bi‐
16 nary formated files. The sflow implementation is based of sflowtool. The
17 packet samples are converted into netflow compatible records.
18 If you want to collect netflow data, please have a look at nfcapd which
20 is also part of the nfdump tools.
21 Sflow is an industry standard developed by InMon Corporation. For more
23 information see http://sflow.org.
24 sfcapd is the twin of nfcapd and supports the same feature set. See also
26 nfcapd(1) for more details.
27 The options are as follows:
29 -w flowdir
31 Set the flow directory to store the output files. If a sub hier‐
32 archy is specified with -S the final directory is concatenated to
33 flowdir/subdir.
34 -C config
36 Reads additional configuration parameters from config file.
37 sfcapd tries to read the config file from the install default
38 path $prefix/etc/ which may be overwritten by the environment
39 variable NFCONF , which again is overwritten by this option -C.
40 If -C none is specified, then no config file is read, even if
41 found in the search path.
42 -p portnum
44 Set the port number to listen. Default port is 9995
45 -b bindhost
47 Specifies the hostname/IPv4/IPv6 address to bind for listening.
48 This can be an IP address or a hostname, resolving to a local IP
49 address.
50 -4 Forces sfcapd to listen on IPv4 addresses only. Can be used to‐
52 gether with -b if a hostname has IPv4 and IPv6 addresses.
53 -6 Forces sfcapd to listen on IPv6 addresses only. Can be used to‐
55 gether with -b if a hostname has IPv4 and IPv6 addresses.
56 -J mcastgroup
58 Join the specified IPv4 or IPv6 multicast group for listening.
59 -R host[/port]
61 Enables the packet repeater. All incoming packets are sent addi‐
62 tionally to another host and port. host is either a valid
63 IPv4/IPv6 address, or a symbolic hostname, which resolves to a
64 valid IP address. port may be omitted and defaults to 9995.
65 Note: As IPv4/IPv6 are accepted the host/port separator is '/'.
66 Up to 8 additional repeaters my be defined. Use this methode to
67 daisy chain collectors.
68 -I ident
70 Sets ident as identification string for the current source. This
71 string is written into the output file to identify the source.
72 Default is 'none'. If you have multiple sources, see option -n
73 below.
74 -n ident,IP,flowdir
76 Configures a netflow source identified by the string ident, IP
77 flowdir If you have multiple sources per collector, add multiple
78 -n options. All exporters send the flows to the same port -p. Do
79 not mix single source configuration -I with multiple -n options.
80 -M flowdir
82 Set the flow directory for dynamic allocated exporters. New ex‐
83 porters are dynamically added when sending data. All exporters
84 send netflow data to the same port and IP. For each dynamically
85 added source, a new sub directory is created under flowdir with
86 the name of the IP address of the exporter. All '.' and ':" in IP
87 addresses are replaced be '-'. -D Set daemon mode: fork to back‐
88 ground and detach from terminal. sfcapd terminates on signal
89 TERM, INT or HUP.
90 -P pidfile
92 Writes the running process ID into pidfilw. Use this option to
93 integrate sfcapd in start/stop files.
94 -u userid
96 Drop privileges of running process to user userid. sfcapd needs
97 to be started as user root.
98 -g groupid
100 Drop privileges of running process to group groupid. sfcapd
101 needs to be started as user root.
102 -B bufflen
104 Sets the network socket input buffer to bufflen bytes. For high
105 volume traffic it is recommended to raise this value to typically
106 > 100k, otherwise you risk to lose packets. The default is OS
107 (and kernel) dependent.
108 -S num Adds an additional directory sub hierarchy to store the data
110 files. The default is 0, no sub hierarchy, which means all files
111 go directly into flowdir. The flowdir is concatenated with the
112 specified sub hierarchy format to create the final data direc‐
113 tory. The following hierarchies are defined:
114 0 default no hierarchy levels
115 1 %Y/%m/%d year/month/day
116 2 %Y/%m/%d/%H year/month/day/hour
117 3 %Y/%W/%u year/week_of_year/day_of_week
118 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
119 5 %Y/%j year/day-of-year
120 6 %Y/%j/%H year/day-of-year/hour
121 7 %Y-%m-%d year-month-day
122 8 %Y-%m-%d/%H year-month-day/hour
123 -t interval
125 Sets the time interval in seconds to rotate files. The default
126 value is 300s ( 5min ). The smallest available interval is 2s.
127 -z Compress flow files with LZO1X-1 compression. Fastest compres‐
129 sion.
130 -y Compress flow files with LZ4 compression. Fast and efficient.
132 -j Compress flow files with bz2 compression. Slow but most effi‐
134 cient. It is not recommended to use bz2 in a real time capturing.
135 -e Sets auto-expire mode. At the end of every rotate interval -t
137 sfcapd runs an expire cycle to delete files according to max
138 lifetime and max filesize as defined by nfexpire(1)
139 -x command
141 At the end of every -t interval and after the file rotate has
142 completed, sfcapd runs the command command. The string for
143 command may contain the following place holders, which are ex‐
144 panded bevore running:
145 %f File name of new data file inluding any sub hierarchy.
146 %d Top flowdir. The full path of the new file is: %d/%f
147 %t Time slot string in ISO format e.g. 201107110845.
148 %u Time slot string in UNIX time format.
149 %i Identification string ident string supplied by -I
150 -m metricpath
152 Enables the flow metric exporter. Flow metric information is sent
153 to the UNIX socket metricpath at the rate specified by -i This
154 option may by used to export flow metric information to other
155 systems such as InfluxDB or Prometheus. Please note: The flow
156 metric does not include the full record. Only the flow statistics
157 is sent.
158 -i metricrate
160 Sets the interval for the flow metric exporter. This interval may
161 be different from the file rotation interval t and is therefore
162 independant from file rotation.
163 -v Increase verbose level by 1. The verbose level may be increased
165 for debugging purpose up to 3.
166 -E Equal to -v -v -v. Print netflow records in block format to std‐
168 out. Please note, that not all elements are printed, which are
169 available in the flow record. To inspect all elements, use nfdump
170 -o raw This option is for debugging purpose only, to verify if
171 incoming netflow data is processed correctly.
172 -V Print sfcapd version and exit.
174 -h Print help text on stdout with all options and exit.
176
178 sfcapd returns 0 on success and 255 if initialization failed.
179
181 http://sflow.org
182 https://sflow.org/developers/licensing.php
184 https://github.com/sflow/sflowtool
186 nfdump(1) nfcapd(1) nfpcapd(1)
188
190 No software without bugs! Please report any bugs back to me.
191BSD February 6, 2023 BSD