nfpcapd(1)

1nfpcapd(1)                                                          nfpcapd(1)
2
3
4

NAME

6       nfpcapd - pcap capture to netflow daemon
7

SYNOPSIS

9       nfpcapd [options]
10

DESCRIPTION

12       nfpcapd  is  the pcap capture daemon of the nfdump tools. It reads net‐
13       work packets from an interface or from a file and directly creates  nf‐
14       dump  records. Nfdump records are written either locally to a directory
15       in the same format as nfcapd, or can be forwarded to a nfcapd collector
16       somewhere  else  in  the  network. Nfpcapd is nfcapd's pcap brother and
17       shares many options and generates the same type of files. nfpcapd like‐
18       wise creates, rotates and stores files. See also nfpcap(1) for more in‐
19       formation on common option.
20
21       nfpcapd optionally also stores pcap traffic data in separate files  and
22       uses  the  same rotation interval as for the netflow data. Storing pcap
23       traffic data file is only possible locally.
24
25       nfpcapd is multithreaded and uses separate threads for packet,  netflow
26       and pcap processing.
27

OPTIONS

29       -i interface
30          Listen on this interface in promisc mode for packet processing.
31
32       -r file
33          Read and process packets from this file. This file is a pcap compat‐
34          ible file
35
36       -s snaplen
37          Limit the snaplen on collected packets. The default is  1522  bytes.
38          The  snaplen needs to be large enough to process all required proto‐
39          cols. The snaplen must not be smaller than 54 bytes.
40
41       -B cachesize
42          Sets the number of initial cache nodes required by the  flow  cache.
43          By  default  the  cache size is set to 512k nodes should be fine. If
44          the cache runs out of nodes, new nodes are dynamically added.
45
46       -e active,inactive
47          Sets the active and inactive flow expire values in s. The default is
48          300,60.
49          Active  timeout:  A flow gets flushed to disk after this period even
50          if it is still active. As a rule of thumb, it should correspond with
51          the -t rotation value, in order to reflect continuous traffic in the
52          flow files.
53          Inactive timeout: A flow gets flushed to disk after  being  inactive
54          for this number of seconds. It frees up node resources.
55          On  busy  networks  these values can be set to more aggressive time‐
56          outs.
57
58       -I IdentString ( capital letter i )
59          Specifies an ident string, which describes the source e.g. the  name
60          of the interface or host. This string is put into the stat record to
61          identify the source. Default is 'none'. Same is nfcapd(1)
62
63       -l flowdir ( letter ell )
64          Specifies the base directory to store the flow files.  If a sub  hi‐
65          erarchy  is specified with -S the final directory is concatenated to
66          base_directory/sub_hierarchy.
67
68       -p pcapdir
69          Store network packets in pcap compatible files in this directory and
70          rotate  files  the same as the flow files. Sub hierarchy directories
71          are applied likewise.
72
73       -H <host[/port]>
74          Send nfdump records to a remote nfcapd collector.  Default  port  is
75          9995.
76
77       -S <num>
78          Allows to specify an additional directory sub hierarchy to store the
79          data files. The default is 0, no  sub  hierarchy,  which  means  the
80          files  go  directly  in  the base directory (-l). The base directory
81          (-l) is concatenated with the specified sub hierarchy format to form
82          the  final  data  directory.  For a full list of hierarchies see nf‐
83          capd(1).
84
85       -t interval
86          Specifies the time interval in seconds to rotate files. The  default
87          value  is 300s ( 5min ). The smallest interval can be set to 2s. The
88          intervals are in sync with wall clock.
89
90       -P pidfile
91          Specify name of pidfile. Default is no pidfile.
92
93       -D Daemon mode: fork to background and detach from  terminal.   Nfpcapd
94          terminates on signal TERM, INT and HUP.
95
96       -E Verbose  flow printing. Print flows on stdout, when flushed to disk.
97          Use verbose printing only for debugging purpose in order to  see  if
98          your  setup works. Running nfpcapd in verbose mode limits processing
99          bandwidth!
100
101       -u userid
102          Change to the user userid as soon as possible. Only root is  allowed
103          to  use  this  option. Uid/Gid is switched after opening the reading
104          device.
105
106       -g groupid
107          Change to the group groupid as soon as possible. Only  root  is  al‐
108          lowed use this option. Uid/Gid is switched after opening the reading
109          device.
110
111       -o option[,option]
112          Adds options to nfpcapd. Two options are available:
113          fat       Add Mac addresses, optional Vlan and MPLS labels.
114          payload   Add the payload bytes of the first packet of a connection.
115
116       -z=lzo
117          Compress flows. Use fast LZO1X-1 compression in output file.
118
119       -z=lz4
120          Compress flows. Use LZ4 compression in output file.
121
122       -z=bz2
123          Compress flows. Use bz2 compression in output file. Note: not recom‐
124          mended while collecting
125
126       -V Print nfpcapd version and exit.
127
128       -h Print help text to stdout with all options and exit.
129
130       '<filter>'
131          Optional  pcap  compatible packet filter. The filter needs to be put
132          within quotes.
133

RETURN VALUE

135       Returns 0 on success, or 255 if initialization failed.
136

LOGGING

138       nfpcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON.  For normal op‐
139       eration  level 'error' should be fine.  More information is reported at
140       level 'info'.
141
142       A small statistic about the collected flows, as well as errors are  re‐
143       ported at the end of every interval to syslog with level 'info'.
144

EXAMPLES

146       Read packets from interface eth0
147              nfpcapd  -i  eth0  -j  -D  -l  /netflow/flows  -S  2  -I  any -P
148              /var/run/nfpcapd.pid
149
150       Read packets from interface mx0 and store also packets in pcap files.
151              nfpcapd -i vmx0 -j -D -l /netflow/flows -p /netflow/caps
152
153       Send records to a remote host
154              nfpcapd -i eth1 -H 192.168.200.10/12344 -D -e 60,20
155

NOTES

157       nfpcapd can store records either locally or send it to  a  remote  host
158       but not both at the same time.
159       If  records  are  sent to a remote nfcapd process, both programs nfcapd
160       and nfpcapd must be of the same endian architecture (both big or little
161       endian). nfpcapd uses netflow version 240 for sending flows.
162
163       The  flow  cache  is checked in regular 10s intervals and expires flows
164       according to the expire values. Expired flows are flushed and processed
165       and nodes are freed up.
166
167       A  smaller  snaplen  may improve performance, but may result in loss of
168       information.  The smallest snaplen of  54  bytes  can  process  regular
169       TCP/UDP/ICMP packets. In case of Vlan or MPLS labels, not enough infor‐
170       mation may be available for correct protocol decoding.  Nfdump  records
171       may be incomplete and and set to 0.
172
173       If  IP  packets are fragmented, they are reassembled before processing.
174       All IP fragments need to be reassembled in order to be  passed  to  the
175       next  stage.  If  not  all fragments are correctly assembled within 15s
176       since the first fragment arrived, all fragments are discarded.
177
178

BUGS

183       No software without bugs! Please report any bugs back to me.
184
185
186
187                                  2023-05-23                        nfpcapd(1)