Provided by: nfdump_1.6.23-1_amd64 
NAME
nfcapd - netflow capture daemon
SYNOPSIS
nfcapd [options]
DESCRIPTION
nfcapd is the netflow capture daemon of the nfdump tools. It reads netflow data from the
network and stores it into files. The output file is automatically rotated and renamed
every n minutes - typically 5 min - according the timestamp YYYYMMddhhmm of the interval
e.g. nfcapd.201907110845 contains the data from July 11th 2019 08:45 onward. If the time
interval is smaller then 60s, the naming extends to seconds e.g. nfcapd.20190711084510.
Netflow version v1, v5, v7 and v9 and IPFIX are transparently supported.
Extensions: nfcapd supports a large number of v9 tags. In order to optimise disk space and
performance, v9 tags are grouped into a number of extensions which may or may not be
stored into the data file. Therefore the v9 templates configured on the exporter may be
tuned according the collector. Only those tags common to both are stored into the data
files.
Sampling: By default, the sampling rate is set to 1 (unsampled) or to any given value
specified by the -s cmd line option. If sampling information is found in the netflow
stream, it overwrites the default value. Sampling is automatically recognised when
announced in v9 option templates (tags #34, #35 or #48, #49, #50 ) or in the unofficial v5
header hack. Note: Not all platforms (or IOS/JunOS versions) support exporting sampling
information in netflow data, even if sampling is configured. The number of bytes/packets
in each netflow record is automatically multiplied by the sampling rate. The total number
of flows is not changed as this is not accurate enough. (Small flows versus large flows)
If the default sampling rate given by -s is negative, this will hard overwrite any device
specific announced sampling rates.
NSEL/ASA Support: nfcapd can be compiled with NSEL/ASA support included. See notes on
NSEL/ASA
NEL (NAT Event logging): nfcapd can be compiled with CISCO NEL support included. See
notes on NEL.
OPTIONS
-p portnum
Specifies the port number to listen. Default port is 9995
-b bindhost
Specifies the hostname/IPv4/IPv6 address to bind for listening. This can be an IP
address or a hostname, resolving to an IP address attached to an interface. Defaults
to any available IPv4 interface, if not specified.
-4 Forces nfcapd to listen on IPv4 addresses only. Can be used together with -b if a
hostname has an IPv4 and IPv6 address record.
-6 Forces nfcapd to listen on IPv6 addresses only. Can be used together with -b if a
hostname has an IPv4 and IPv6 address record. Depending on the socket implementation -6
also accepts IPv4 data.
-J MulticastGroup
Join the specified IPv4 or IPv6 multicast group for listening.
-R host[/port}
Enable packet repeater. Send all incoming packets to another host and port. host is
either a valid IPv4/IPv6 address, or a valid symbolic hostname, which resolves to a
IPv6 or IPv4 address. port may be omitted and defaults to port 9995. Note: Due to
IPv4/IPv6 accepted addresses the port separator is '/'. Up to 8 repeaters my be
defined.
-I IdentString ( capital letter i )
Specifies an ident string, which describes the source e.g. the name of the router. This
string is put into the stat record to identify the source. Default is 'none'. This is
for compatibility with nfdump 1.5.x and used to specify a single netflow source. See -n
-l base_directory ( letter ell )
Specifies the base directory to store the output files. If a sub hierarchy is
specified with -S the final directory is concatenated to base_directory/sub_hierarchy.
This is for compatibility with nfdump 1.5.x and used to specify a single netflow
source. See -n
-n <Ident,IP,base_directory>
Configures a netflow source named Ident and identified by source IP address IP. The
base directory for the flow files is base_directory. If a sub hierarchy is specified
with -S the final directory is concatenated to base_directory/sub_hierarchy. Multiple
netflow sources can be specified. All data is sent to the same port specified by -p.
Note: You must not mix -n option with -I and -l. Use either syntax.
-N <file>
Specifies the file to read to add multiple netflow sources. The file is expected to
contain one netflow source per line based on the same syntax than the -n option.
Comments are not interpreted. Ident collision are not handled if -N is specified
multiple times.
-M <dynbase_directory>
Specifies the base directory to store the output files. In contrast to -l -M allows to
add dynamically new flow sources (exporters), as they appear. All exporters send
netflow data to the same port and IP. For each dynamically added source, a new
directory is created with the name of the IPv4/IPv6 address of the exporter. All '.'
and ':" in IP addresses are replaced be '-' e.g. 10.11.12.13 is converted to the
directory name 10-11-12-13. Note: Please make sure to restrict at host level the
potential range of IP addresses which are allowed to connect to nfcapd. Otherwise you
risk a potential DoS attack on nfcapd, as nfcapd has no built in restrictions.
-f <pcap_file>
Read netflow packets from a give pcap_file instead of the network. This requires nfcapd
to be compiled with the pcap option and is intended for debugging only.
-s <rate>
Apply default sampling rate rate to all netflow records, unless the sampling rate is
announced by the exporting device. In that case the announced sampling rate is applied.
If <rate> is negative, this will hard overwrite any device specific announced sampling
rates.
-S <num>
Allows to specify an additional directory sub hierarchy to store the data files. The
default is 0, no sub hierarchy, which means the files go directly in the base directory
(-l). The base directory (-l) is concatenated with the specified sub hierarchy format
to form the final data directory. The following hierarchies are defined:
0 default no hierarchy levels
1 %Y/%m/%d year/month/day
2 %Y/%m/%d/%H year/month/day/hour
3 %Y/%W/%u year/week_of_year/day_of_week
4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
5 %Y/%j year/day-of-year
6 %Y/%j/%H year/day-of-year/hour
7 %Y-%m-%d year-month-day
8 %Y-%m-%d/%H year-month-day/hour
-T <extension list>
The argument is considered legacy. By default all matching extension sent by the
exporter are stored. You still may overwrite this, if you want to skip certain
extansions. Regardless of the extension list, the following netflow data is stored per
record: first, last, fwd status, tcp flags, proto, (src)tos, src port, dst port, src
ipaddr, dst ipaddr, in(packets), in(bytes). In addition nfcapd recognises the
extensions as described below. Some are valid for v5/v7/v9, but most of them make only
sense for v9. Any specified extensions which do not exist in the input netflow records
are ignored.
Extensions:
v5/v7/v9/IPFIX extensions:
1 input/output interface SNMP numbers.
2 src/dst AS numbers.
3 src/dst mask, (dst)TOS, direction.
4 line Next hop IP addr line
5 line BGP next hop IP addr line
6 src/dst vlan id labels
7 counter output packets
8 counter output bytes
9 counter aggregated flows
10 in_src/out_dst MAC address
11 in_dst/out_src MAC address
12 MPLS labels 1-10
13 Exporting router IPv4/IPv6 address
14 Exporting router ID
15 BGP adjacent prev/next AS
16 time stamp flow received by the collector
NSEL/ASA/NAT extensions
26 NSEL ASA event, xtended event, ICMP type/code
27 NSEL/NAT xlate ports
28 NSEL/NAT xlate IPv4/IPv6 addr
29 NSEL ASA ACL ingress/egress acl ID
30 NSEL ASA username
NEL/NAT extensions
31 NAT event, ingress egress vrfid
32 NAT Block port allocation - block start, end step and size
latency extension
64 nfpcapd/nprobe client/server/application latency"},
IMPORTANT: By default all extension are selected Extensions can be added/deleted by
specifying a ',' separated list of extension ids. Each id may be prepended by an
optional sign +/- to add or remove a given id from the extension list. Shortcuts: The
string 'all' means all extensions. The strings
'nsel' and 'nel' enable all NSEL or NEL extensions respectively.
Examples:
-T all Enables all possible extensions.
-T +3,+4 Adds extensions 3 and 4 to the defaults 1 and 2.
-T all,-8,-9 Set all extensions but 8 and 9
-T -1,4 Removes default extension 1 and adds extension 4
-T nsel Enables all required ASA?NSEL extensions
-T nel Enables all required nell extensions
Note: Only those tags in common with the exporting device and enabled extensions at
the collector side are stored into the data files. A detailed list which v9 tags are
mapped into which extensions is given in the section NOTES
-t interval
Specifies the time interval in seconds to rotate files. The default value is 300s (
5min ). The smallest interval is 2s.
-w Align file rotation with next n minute ( specified by -t ) interval. Example: If
interval is 5 min, sync at 0,5,10... wall clock minutes Default: no alignment.
-x cmd
Run command cmd at the end of every interval, when a new file becomes available. The
following command expansion is available:
%f Replaced by the file name e.g nfcapd.200907110845 inluding any
sub hierarchy. ( 2009/07/11/nfcapd.200907110845 )
%d Replaced by the directory where the file is located.
%t Replaced by the time ISO format e.g. 200907110845.
%u Replaced by the UNIX time format.
%i Replaced ident string given by -I
-X Collect and embed extended statistics. Currently a port and bpp histogram is embedded.
Mostly experimental for now
-e Auto expire files at every cycle. max lifetime and max filesize are defined using
nfexpire(1)
-P pidfile
Specify name of pidfile. Default is no pidfile.
-D Daemon mode: fork to background and detach from terminal. Nfcapd terminates on signal
TERM, INT and HUP.
-u userid
Change to the user userid as soon as possible. Only root is allowed to use this option.
-g groupid
Change to the group groupid as soon as possible. Only root is allowed use this option.
-B bufflen
Specifies the socket input buffer length in bytes. For high volume traffic ( near GB
traffic ) it is recommended to set this value as high as possible ( typically > 100k ),
otherwise you risk to lose packets. The default is OS ( and kernel ) dependent.
-E Print netflow records in nfdump raw format to stdout. This option is for debugging
purpose only, to see how incoming netflow data is processed and stored.
-j Compress flows. Use bz2 compression in output file. Note: not recommended while
collecting
-y Compress flows. Use LZ4 compression in output file.
-z Compress flows. Use fast LZO1X-1 compression in output file.
-V Print nfcapd version and exit.
-h Print help text to stdout with all options and exit.
RETURN VALUE
Returns 0 on success, or 255 if initialization failed.
LOGGING
nfcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON For normal operation level 'warning'
should be fine. More information is reported at level 'info' and 'debug'.
A small statistic about the collected flows, as well as errors are reported at the end of
every interval to syslog with level 'info'.
EXAMPLES
All flows are sent to port 9995 from all exporters and stored into a single file. All
known v9 tags are taken.
nfcapd -z -w -D -T all -l /netflow/spool/allflows -I any -S 2 -P
/var/run/nfcapd.allflows.pid
All flows from 2 different exporters are sent to port 8877 and stored in separate
directory trees. All known v9 tags are taken. Input buffer size is set to 128000 bytes
nfcapd -z -w -D -T all -p 8877 -n upstream,192.168.1.1,/netflow/spool/upstream -n
peer,192.168.2.1,/netflow/spool/peer -S 2 -B 128000
Only accept from from a single exporter and only extension 3,4 and 5 are accepted. Run a
given command when files are rotated and automatically expire flows:
nfcapd -w -D -T 3,4,5 -n upstream,192.168.1.1,/netflow/spool/upstream -p 23456 -B
128000 -s 100 -x '/path/command -r %d/%f' -P /var/run/nfcapd/nfcapd.pid -e
NOTES
Multiple netflow sources:
Netflow data may be sent from different exporters to a single nfcapd process. Use the -n
option to separate each netflow source to a different data directory. For compatibility
with nfdump 1.5.x, old style -l/-I options are still valid. In that case all flows from
all sources are stored in a single file. For high volume netflow streams, it is still
recommended to have a single nfcapd process per netflow source.
Nfdump supports a large number of v9 and ipfix elements. For a detailed list chek the
netflow_v9 and ipfix header files. 32 and 64 bit are supported for all counters. 32it AS
numbers are supported.
The format of the data files is netflow version independent.
Socket buffer: Setting the socket buffer size is system dependent. When starting up,
nfcapd returns the number of bytes the buffer was actually set. This is done by reading
back the buffer size and may differ from what you requested.
SEE ALSO
nfdump(1), nfprofile(1), nfreplay(1)
BUGS
No software without bugs! Please report any bugs back to me.
2009-09-09 nfcapd(1)