Provided by: nfdump_1.6.23-1_amd64 bug

NAME

       nfcapd - netflow capture daemon

SYNOPSIS

       nfcapd [options]

DESCRIPTION

       nfcapd  is  the netflow capture daemon of the nfdump tools. It reads netflow data from the
       network and stores it into files. The output file is  automatically  rotated  and  renamed
       every  n  minutes - typically 5 min - according the timestamp YYYYMMddhhmm of the interval
       e.g.  nfcapd.201907110845 contains the data from July 11th 2019 08:45 onward.  If the time
       interval is smaller then 60s, the naming extends to seconds e.g. nfcapd.20190711084510.

       Netflow version v1, v5, v7 and v9 and IPFIX are transparently supported.

       Extensions: nfcapd supports a large number of v9 tags. In order to optimise disk space and
       performance, v9 tags are grouped into a number of extensions  which  may  or  may  not  be
       stored  into  the  data file. Therefore the v9 templates configured on the exporter may be
       tuned according the collector. Only those tags common to both are  stored  into  the  data
       files.

       Sampling:  By  default,  the  sampling  rate is set to 1 (unsampled) or to any given value
       specified by the -s cmd line option. If sampling  information  is  found  in  the  netflow
       stream,  it  overwrites  the  default  value.  Sampling  is  automatically recognised when
       announced in v9 option templates (tags #34, #35 or #48, #49, #50 ) or in the unofficial v5
       header  hack.   Note: Not all platforms (or IOS/JunOS versions) support exporting sampling
       information in netflow data, even if sampling is configured. The number  of  bytes/packets
       in each netflow record is automatically multiplied by the sampling rate.  The total number
       of flows is not changed as this is not accurate enough. (Small flows versus  large  flows)
       If  the default sampling rate given by -s is negative, this will hard overwrite any device
       specific announced sampling rates.

       NSEL/ASA Support: nfcapd can be compiled with NSEL/ASA  support  included.  See  notes  on
       NSEL/ASA

       NEL  (NAT  Event  logging):  nfcapd  can be compiled with CISCO NEL support included.  See
       notes on NEL.

OPTIONS

       -p portnum
          Specifies the port number to listen. Default port is 9995

       -b bindhost
          Specifies the hostname/IPv4/IPv6 address to bind for  listening.  This  can  be  an  IP
          address  or  a hostname, resolving to an IP address attached to an interface.  Defaults
          to any available IPv4 interface, if not specified.

       -4 Forces nfcapd to listen on IPv4 addresses only. Can be  used  together  with  -b  if  a
          hostname has an IPv4 and IPv6 address record.

       -6 Forces  nfcapd  to  listen  on  IPv6  addresses only. Can be used together with -b if a
          hostname has an IPv4 and IPv6 address record. Depending on the socket implementation -6
          also accepts IPv4 data.

       -J MulticastGroup
          Join the specified IPv4 or IPv6 multicast group for listening.

       -R host[/port}
          Enable  packet  repeater.  Send all incoming packets to another host and port.  host is
          either a valid IPv4/IPv6 address, or a valid symbolic hostname,  which  resolves  to  a
          IPv6  or  IPv4  address.  port  may  be omitted and defaults to port 9995. Note: Due to
          IPv4/IPv6 accepted addresses the port separator  is  '/'.  Up  to  8  repeaters  my  be
          defined.

       -I IdentString ( capital letter i )
          Specifies an ident string, which describes the source e.g. the name of the router. This
          string is put into the stat record to identify the source. Default is 'none'.  This  is
          for compatibility with nfdump 1.5.x and used to specify a single netflow source. See -n

       -l base_directory ( letter ell )
          Specifies  the  base  directory  to  store  the  output  files.   If a sub hierarchy is
          specified with -S the final directory is concatenated to  base_directory/sub_hierarchy.
          This  is  for  compatibility  with  nfdump  1.5.x  and used to specify a single netflow
          source. See -n

       -n <Ident,IP,base_directory>
          Configures a netflow source named Ident and identified by source IP  address  IP.   The
          base  directory  for  the flow files is base_directory. If a sub hierarchy is specified
          with -S the final directory is concatenated to  base_directory/sub_hierarchy.  Multiple
          netflow  sources  can  be specified. All data is sent to the same port specified by -p.
          Note: You must not mix -n option with -I and -l. Use either syntax.

       -N <file>
          Specifies the file to read to add multiple netflow sources. The  file  is  expected  to
          contain  one  netflow  source  per  line  based  on the same syntax than the -n option.
          Comments are not interpreted.  Ident collision are  not  handled  if  -N  is  specified
          multiple times.

       -M <dynbase_directory>
          Specifies  the base directory to store the output files. In contrast to -l -M allows to
          add dynamically new flow sources  (exporters),  as  they  appear.  All  exporters  send
          netflow  data  to  the  same  port  and  IP.   For each dynamically added source, a new
          directory is created with the name of the IPv4/IPv6 address of the  exporter.  All  '.'
          and  ':"  in  IP  addresses  are  replaced be '-' e.g.  10.11.12.13 is converted to the
          directory name 10-11-12-13.  Note: Please make sure  to  restrict  at  host  level  the
          potential  range  of IP addresses which are allowed to connect to nfcapd. Otherwise you
          risk a potential DoS attack on nfcapd, as nfcapd has no built in restrictions.

       -f <pcap_file>
          Read netflow packets from a give pcap_file instead of the network. This requires nfcapd
          to be compiled with the pcap option and is intended for debugging only.

       -s <rate>
          Apply  default  sampling  rate rate to all netflow records, unless the sampling rate is
          announced by the exporting device. In that case the announced sampling rate is applied.
          If  <rate> is negative, this will hard overwrite any device specific announced sampling
          rates.

       -S <num>
          Allows to specify an additional directory sub hierarchy to store the  data  files.  The
          default is 0, no sub hierarchy, which means the files go directly in the base directory
          (-l). The base directory (-l) is concatenated with the specified sub  hierarchy  format
          to form the final data directory.  The following hierarchies are defined:
            0 default     no hierarchy levels
            1 %Y/%m/%d    year/month/day
            2 %Y/%m/%d/%H year/month/day/hour
            3 %Y/%W/%u    year/week_of_year/day_of_week
            4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
            5 %Y/%j       year/day-of-year
            6 %Y/%j/%H    year/day-of-year/hour
            7 %Y-%m-%d    year-month-day
            8 %Y-%m-%d/%H year-month-day/hour

       -T <extension list>
          The  argument  is  considered  legacy.  By  default  all matching extension sent by the
          exporter are stored. You still  may  overwrite  this,  if  you  want  to  skip  certain
          extansions.  Regardless of the extension list, the following netflow data is stored per
          record: first, last, fwd status, tcp flags, proto, (src)tos, src port,  dst  port,  src
          ipaddr,   dst  ipaddr,  in(packets),  in(bytes).  In  addition  nfcapd  recognises  the
          extensions as described below. Some are valid for v5/v7/v9, but most of them make  only
          sense  for v9. Any specified extensions which do not exist in the input netflow records
          are ignored.

          Extensions:
           v5/v7/v9/IPFIX extensions:
            1 input/output interface SNMP numbers.
            2 src/dst AS numbers.
            3 src/dst mask, (dst)TOS, direction.
            4 line Next hop IP addr line
            5 line BGP next hop IP addr line
            6 src/dst vlan id labels
            7 counter output packets
            8 counter output bytes
            9 counter aggregated flows
           10 in_src/out_dst MAC address
           11 in_dst/out_src MAC address
           12 MPLS labels 1-10
           13 Exporting router IPv4/IPv6 address
           14 Exporting router ID
           15 BGP adjacent prev/next AS
           16 time stamp flow received by the collector
           NSEL/ASA/NAT extensions
           26 NSEL     ASA event, xtended event, ICMP type/code
           27 NSEL/NAT xlate ports
           28 NSEL/NAT xlate IPv4/IPv6 addr
           29 NSEL     ASA ACL ingress/egress acl ID
           30 NSEL     ASA username
           NEL/NAT extensions
           31 NAT event, ingress egress vrfid
           32 NAT Block port allocation - block start, end step and size
           latency extension
           64 nfpcapd/nprobe client/server/application latency"},

           IMPORTANT: By default all extension are selected Extensions can  be  added/deleted  by
           specifying  a  ','  separated  list  of  extension ids. Each id may be prepended by an
           optional sign +/- to add or remove a given id from the extension list.  Shortcuts: The
           string 'all' means all extensions. The strings
            'nsel' and 'nel' enable all NSEL or NEL extensions respectively.

           Examples:
           -T all       Enables all possible extensions.
           -T +3,+4     Adds extensions 3 and 4 to the defaults 1 and 2.
           -T all,-8,-9 Set all extensions but 8 and 9
           -T -1,4      Removes default extension 1 and adds extension 4
           -T nsel      Enables all required ASA?NSEL extensions
           -T nel       Enables all required nell extensions
           Note:  Only  those  tags in common with the exporting device and enabled extensions at
           the collector side are stored into the data files. A detailed list which v9  tags  are
           mapped into which extensions is given in the section NOTES

       -t interval
          Specifies  the  time  interval  in seconds to rotate files. The default value is 300s (
          5min ). The smallest interval is 2s.

       -w Align file rotation with next n minute ( specified  by  -t  )  interval.   Example:  If
          interval is 5 min, sync at 0,5,10... wall clock minutes Default: no alignment.

       -x cmd
          Run  command  cmd  at the end of every interval, when a new file becomes available. The
          following command expansion is available:
           %f   Replaced by the file name e.g nfcapd.200907110845 inluding any
                sub hierarchy. ( 2009/07/11/nfcapd.200907110845 )
           %d   Replaced by the directory where the file is located.
           %t   Replaced by the time ISO format e.g. 200907110845.
           %u   Replaced by the UNIX time format.
           %i   Replaced ident string given by -I

       -X Collect and embed extended statistics. Currently a port and bpp histogram is  embedded.
          Mostly experimental for now

       -e Auto  expire  files  at  every  cycle.  max lifetime and max filesize are defined using
          nfexpire(1)

       -P pidfile
          Specify name of pidfile. Default is no pidfile.

       -D Daemon mode: fork to background and detach from terminal.  Nfcapd terminates on  signal
          TERM, INT and HUP.

       -u userid
          Change to the user userid as soon as possible. Only root is allowed to use this option.

       -g groupid
          Change to the group groupid as soon as possible. Only root is allowed use this option.

       -B bufflen
          Specifies  the  socket  input buffer length in bytes. For high volume traffic ( near GB
          traffic ) it is recommended to set this value as high as possible ( typically > 100k ),
          otherwise you risk to lose packets. The default is OS ( and kernel )  dependent.

       -E Print  netflow  records  in  nfdump  raw format to stdout. This option is for debugging
          purpose only, to see how incoming netflow data is processed and stored.

       -j Compress flows. Use bz2  compression  in  output  file.  Note:  not  recommended  while
          collecting

       -y Compress flows. Use LZ4 compression in output file.

       -z Compress flows. Use fast LZO1X-1 compression in output file.

       -V Print nfcapd version and exit.

       -h Print help text to stdout with all options and exit.

RETURN VALUE

       Returns 0 on success, or 255 if initialization failed.

LOGGING

       nfcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON For normal operation level 'warning'
       should be fine.  More information is reported at level 'info' and 'debug'.

       A small statistic about the collected flows, as well as errors are reported at the end  of
       every interval to syslog with level 'info'.

EXAMPLES

       All  flows  are  sent  to  port 9995 from all exporters and stored into a single file. All
       known v9 tags are taken.
              nfcapd  -z  -w  -D  -T  all   -l   /netflow/spool/allflows   -I   any   -S   2   -P
              /var/run/nfcapd.allflows.pid

       All  flows  from  2  different  exporters  are  sent  to  port 8877 and stored in separate
       directory trees. All known v9 tags are taken. Input buffer size is set to 128000 bytes
              nfcapd -z -w -D -T all -p 8877 -n  upstream,192.168.1.1,/netflow/spool/upstream  -n
              peer,192.168.2.1,/netflow/spool/peer -S 2 -B 128000

       Only  accept  from from a single exporter and only extension 3,4 and 5 are accepted. Run a
       given command when files are rotated and automatically expire flows:
              nfcapd -w -D -T 3,4,5 -n upstream,192.168.1.1,/netflow/spool/upstream -p  23456  -B
              128000 -s 100 -x '/path/command -r %d/%f'  -P /var/run/nfcapd/nfcapd.pid -e

NOTES

       Multiple netflow sources:

       Netflow  data may be sent from different exporters to a single nfcapd process.  Use the -n
       option to separate each netflow source to a different data directory.   For  compatibility
       with  nfdump  1.5.x, old style -l/-I options are still valid.  In that case all flows from
       all sources are stored in a single file. For high volume  netflow  streams,  it  is  still
       recommended to have a single nfcapd process per netflow source.

       Nfdump  supports  a  large  number  of v9 and ipfix elements. For a detailed list chek the
       netflow_v9 and ipfix header files.  32 and 64 bit are supported for all counters. 32it  AS
       numbers are supported.

       The format of the data files is netflow version independent.

       Socket  buffer:  Setting  the  socket  buffer size is system dependent.  When starting up,
       nfcapd returns the number of bytes the buffer was actually set. This is  done  by  reading
       back the buffer size and may differ from what you requested.

SEE ALSO

       nfdump(1), nfprofile(1), nfreplay(1)

BUGS

       No software without bugs! Please report any bugs back to me.

                                            2009-09-09                                  nfcapd(1)