mantic (1) nfpcapd.1.gz

Provided by: nfdump_1.7.1-3_amd64 bug

NAME

       nfpcapd - pcap capture to netflow daemon

SYNOPSIS

       nfpcapd [options]

DESCRIPTION

       nfpcapd  is  the pcap capture daemon of the nfdump tools. It reads network packets from an
       interface or from a file and directly creates nfdump records. Nfdump records  are  written
       either  locally  to  a  directory  in  the same format as nfcapd, or can be forwarded to a
       nfcapd collector somwhere else in the network. Nfpcapd is nfcapd's pcap brother and shares
       many  options  and generates the same type of files. nfpcapd likewise creates, rotates and
       stores files. See also nfpcap(1) for more information on common option.

       nfpcapd optionally also stores pcap traffic data in  separate  files  and  uses  the  same
       rotation interval as for the netflow data. Storing pcap traffic data file is only possible
       locally.

       nfpcapd  is  multithreaded  and  uses  separate  threads  for  packet,  netflow  and  pcap
       processing.

OPTIONS

       -i interface
          Listen on this interface in promisc mode for packet processing.

       -r file
          Read and process packets from this file. This file is a pcap compatible file

       -s snaplen
          Limit the snaplen on collected packets. The default is 1522 bytes. The snaplen needs to
          be large enough to process all required protocols. The snaplen must not be smaller than
          54 bytes.

       -B cachesize
          Sets  the  number  of  initial  cache nodes required by the flow cache.  By default the
          cache size is set to 512k nodes should be fine. If the cache runs  out  of  nodes,  new
          nodes are dynamically added.

       -e active,inactive
          Sets the active and inactive flow expire values in s. The default ist 300,60.
          Active  timeout:  A  flow  gets  flushed  to disk after this period even if it is still
          active. As a rule of thumb, it should correspond with the -t rotation value,  in  order
          to reflect continous traffic in the flow files.
          Inactive  timeout:  A flow gets flushed to disk after being inactive for this number of
          seconds. It frees up node recources.
          On busy networks these values can be set to more aggressive timeouts.

       -I IdentString ( capital letter i )
          Specifies an ident string, which describes the source e.g. the name of the interface or
          host.  This  string  is  put  into  the  stat record to identify the source. Default is
          'none'. Same is nfcapd(1)

       -l flowdir ( letter ell )
          Specifies the base directory to store the flow files.  If a sub hierarchy is  specified
          with -S the final directory is concatenated to base_directory/sub_hierarchy.

       -p pcapdir
          Store  network  packets in pcap compatible files in this directory and rotate files the
          same as the flow files. Sub hierarchy directories are applied likewise.

       -H <host[/port]>
          Send nfdump records to a remote nfcapd collector. Default port is 9995.

       -S <num>
          Allows to specify an additional directory sub hierarchy to store the  data  files.  The
          default is 0, no sub hierarchy, which means the files go directly in the base directory
          (-l). The base directory (-l) is concatenated with the specified sub  hierarchy  format
          to form the final data directory.  For a full list of hierarchies see nfcapd(1).

       -t interval
          Specifies  the  time  interval  in seconds to rotate files. The default value is 300s (
          5min ). The smallest interval can be set to 2s. The intervalls are in  sync  with  wall
          clock.

       -P pidfile
          Specify name of pidfile. Default is no pidfile.

       -D Daemon mode: fork to background and detach from terminal.  Nfpcapd terminates on signal
          TERM, INT and HUP.

       -E Verbose flow printing. Print flows on  stdout,  when  flushed  to  disk.   Use  verbose
          printing only for debugging purpose in oder to see if your setup works. Running nfpcapd
          in verbose mode limits processing bandwith!

       -u userid
          Change to the user userid as soon as possible. Only root is allowed to use this option.
          Uid/Gid is switched after opening the reading device.

       -g groupid
          Change  to the group groupid as soon as possible. Only root is allowed use this option.
          Uid/Gid is switched after opening the reading device.

       -o option[,option]
          Adds options to nfpcapd. Two options are available:
          fat       Add Mac addresses, optional Vlan and MPLS labels.
          payload   Add the payload bytes of the first packet of a connection.

       -j Compress flows. Use bz2  compression  in  output  file.  Note:  not  recommended  while
          collecting

       -y Compress flows. Use LZ4 compression in output file.

       -z Compress flows. Use fast LZO1X-1 compression in output file.

       -V Print nfpcapd version and exit.

       -h Print help text to stdout with all options and exit.

       '<filter>'
          Optional pcap compatible packet filter. The filter needs to be put within quotes.

RETURN VALUE

       Returns 0 on success, or 255 if initialization failed.

LOGGING

       nfpcapd  logs  to  syslog  with  SYSLOG_FACILITY  LOG_DAEMON.   For normal operation level
       'error' should be fine.  More information is reported at level 'info'.

       A small statistic about the collected flows, as well as errors are reported at the end  of
       every interval to syslog with level 'info'.

EXAMPLES

       Read packets from interface eth0
              nfpcapd -i eth0 -j -D -l /netflow/flows -S 2 -I any -P /var/run/nfpcapd.pid

       Read packets from interface mx0 and store also packets in pcap files.
              nfpcapd -i vmx0 -j -D -l /netflow/flows -p /netflow/caps

       Send records to a remote host
              nfpcapd -i eth1 -H 192.168.200.10/12344 -D -e 60,20

NOTES

       nfpcapd  can  store records either locally or send it to a remote host but not both at the
       same time.
       If records are sent to a remote nfcapd process, both programs nfcapd and nfpcapd  must  be
       of  the same endian architecture (both big or little endian). nfpcapd uses netflow version
       240 for sending flows.

       The flow cache is checked in regular 10s intervalls and expires  flows  according  to  the
       expire values. Expired flows are flushed and processed and nodes are freed up.

       A  smaller  snaplen  may  improve performance, but may result in loss of information.  The
       smallest snaplen of 54 bytes can process regular TCP/UDP/ICMP packets. In case of Vlan  or
       MPLS labels, not enough information may be abailable for correct protocol decoding. Nfdump
       records may be incomplete and and set to 0.

       If IP packets are fragmented, they are reassembled before  processing.  All  IP  fragments
       need  to  be reassembled in order to be passed to the next stage. If not all fragments are
       correctly assembled withing 15s since  the  first  fragment  arrived,  all  fragments  are
       discarded.

SEE ALSO

       nfcapd(1), nfdump(1), nfexpire(1)

BUGS

       No software without bugs! Please report any bugs back to me.

                                            2021-05-23                                 nfpcapd(1)