1nfpcapd(1) nfpcapd(1)
2
3
4
6 nfpcapd - pcap capture to netflow daemon
7
9 nfpcapd [options]
10
12 nfpcapd is the pcap capture daemon of the nfdump tools. It reads net‐
13 work packets from an interface or from a file and directly creates nf‐
14 dump records. Nfdump records are written either locally to a directory
15 in the same format as nfcapd, or can be forwarded to a nfcapd collector
16 somewhere else in the network. Nfpcapd is nfcapd's pcap brother and
17 shares many options and generates the same type of files. nfpcapd like‐
18 wise creates, rotates and stores files. See also nfpcap(1) for more in‐
19 formation on common option.
20
21 nfpcapd optionally also stores pcap traffic data in separate files and
22 uses the same rotation interval as for the netflow data. Storing pcap
23 traffic data file is only possible locally.
24
25 nfpcapd is multithreaded and uses separate threads for packet, netflow
26 and pcap processing.
27
29 -i interface
30 Listen on this interface in promisc mode for packet processing.
31
32 -r file
33 Read and process packets from this file. This file is a pcap compat‐
34 ible file
35
36 -s snaplen
37 Limit the snaplen on collected packets. The default is 1522 bytes.
38 The snaplen needs to be large enough to process all required proto‐
39 cols. The snaplen must not be smaller than 54 bytes.
40
41 -B cachesize
42 Sets the number of initial cache nodes required by the flow cache.
43 By default the cache size is set to 512k nodes should be fine. If
44 the cache runs out of nodes, new nodes are dynamically added.
45
46 -e active,inactive
47 Sets the active and inactive flow expire values in s. The default is
48 300,60.
49 Active timeout: A flow gets flushed to disk after this period even
50 if it is still active. As a rule of thumb, it should correspond with
51 the -t rotation value, in order to reflect continuous traffic in the
52 flow files.
53 Inactive timeout: A flow gets flushed to disk after being inactive
54 for this number of seconds. It frees up node resources.
55 On busy networks these values can be set to more aggressive time‐
56 outs.
57
58 -I IdentString ( capital letter i )
59 Specifies an ident string, which describes the source e.g. the name
60 of the interface or host. This string is put into the stat record to
61 identify the source. Default is 'none'. Same is nfcapd(1)
62
63 -l flowdir ( letter ell )
64 Specifies the base directory to store the flow files. If a sub hi‐
65 erarchy is specified with -S the final directory is concatenated to
66 base_directory/sub_hierarchy.
67
68 -p pcapdir
69 Store network packets in pcap compatible files in this directory and
70 rotate files the same as the flow files. Sub hierarchy directories
71 are applied likewise.
72
73 -H <host[/port]>
74 Send nfdump records to a remote nfcapd collector. Default port is
75 9995.
76
77 -S <num>
78 Allows to specify an additional directory sub hierarchy to store the
79 data files. The default is 0, no sub hierarchy, which means the
80 files go directly in the base directory (-l). The base directory
81 (-l) is concatenated with the specified sub hierarchy format to form
82 the final data directory. For a full list of hierarchies see nf‐
83 capd(1).
84
85 -t interval
86 Specifies the time interval in seconds to rotate files. The default
87 value is 300s ( 5min ). The smallest interval can be set to 2s. The
88 intervals are in sync with wall clock.
89
90 -P pidfile
91 Specify name of pidfile. Default is no pidfile.
92
93 -D Daemon mode: fork to background and detach from terminal. Nfpcapd
94 terminates on signal TERM, INT and HUP.
95
96 -E Verbose flow printing. Print flows on stdout, when flushed to disk.
97 Use verbose printing only for debugging purpose in order to see if
98 your setup works. Running nfpcapd in verbose mode limits processing
99 bandwidth!
100
101 -u userid
102 Change to the user userid as soon as possible. Only root is allowed
103 to use this option. Uid/Gid is switched after opening the reading
104 device.
105
106 -g groupid
107 Change to the group groupid as soon as possible. Only root is al‐
108 lowed use this option. Uid/Gid is switched after opening the reading
109 device.
110
111 -o option[,option]
112 Adds options to nfpcapd. Two options are available:
113 fat Add Mac addresses, optional Vlan and MPLS labels.
114 payload Add the payload bytes of the first packet of a connection.
115
116 -z=lzo
117 Compress flows. Use fast LZO1X-1 compression in output file.
118
119 -z=lz4
120 Compress flows. Use LZ4 compression in output file.
121
122 -z=bz2
123 Compress flows. Use bz2 compression in output file. Note: not recom‐
124 mended while collecting
125
126 -V Print nfpcapd version and exit.
127
128 -h Print help text to stdout with all options and exit.
129
130 '<filter>'
131 Optional pcap compatible packet filter. The filter needs to be put
132 within quotes.
133
135 Returns 0 on success, or 255 if initialization failed.
136
138 nfpcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON. For normal op‐
139 eration level 'error' should be fine. More information is reported at
140 level 'info'.
141
142 A small statistic about the collected flows, as well as errors are re‐
143 ported at the end of every interval to syslog with level 'info'.
144
146 Read packets from interface eth0
147 nfpcapd -i eth0 -j -D -l /netflow/flows -S 2 -I any -P
148 /var/run/nfpcapd.pid
149
150 Read packets from interface mx0 and store also packets in pcap files.
151 nfpcapd -i vmx0 -j -D -l /netflow/flows -p /netflow/caps
152
153 Send records to a remote host
154 nfpcapd -i eth1 -H 192.168.200.10/12344 -D -e 60,20
155
157 nfpcapd can store records either locally or send it to a remote host
158 but not both at the same time.
159 If records are sent to a remote nfcapd process, both programs nfcapd
160 and nfpcapd must be of the same endian architecture (both big or little
161 endian). nfpcapd uses netflow version 240 for sending flows.
162
163 The flow cache is checked in regular 10s intervals and expires flows
164 according to the expire values. Expired flows are flushed and processed
165 and nodes are freed up.
166
167 A smaller snaplen may improve performance, but may result in loss of
168 information. The smallest snaplen of 54 bytes can process regular
169 TCP/UDP/ICMP packets. In case of Vlan or MPLS labels, not enough infor‐
170 mation may be available for correct protocol decoding. Nfdump records
171 may be incomplete and and set to 0.
172
173 If IP packets are fragmented, they are reassembled before processing.
174 All IP fragments need to be reassembled in order to be passed to the
175 next stage. If not all fragments are correctly assembled within 15s
176 since the first fragment arrived, all fragments are discarded.
177
178
180 nfcapd(1), nfdump(1), nfexpire(1)
181
183 No software without bugs! Please report any bugs back to me.
184
185
186
187 2023-05-23 nfpcapd(1)