oracular (1) sfcapd.1.gz

NAME

     sfcapd — sflow collector for sflow version v2/v4 and v5

SYNOPSIS

     sfcapd -w flowdir [-C config] [-z=<compress>] [-D] [-u userid] [-g groupid] [-S num] [-t interval]
            [-P pidfile] [-p port] [-d device] [-I ident] [-b bindhost] [-f flowfile] [-4] [-6] [-j mcastgroup]
            [-R repeater] [-A] [-B buffsize] [-n sourceparam] [-M multiflowdir] [-i metricrate] [-m metricpath]
            [-e] [-x command] [-X extensionList] [-W workers] [-E] [-v] [-V]

DESCRIPTION

     sfcapd reads sflow data from the network and stores the records into binary formatted files. The sflow
     implementation is based of sflowtool. The packet samples are converted into netflow compatible records.

     If you want to collect netflow data, please have a look at nfcapd which is also part of the nfdump tools.

     Sflow is an industry standard developed by InMon Corporation.  For more information see http://sflow.org.

     sfcapd is the twin of nfcapd and supports the same feature set. See also nfcapd(1) for more details.

     The options are as follows:

     -w flowdir
             Set the flow directory to store the output files. If a sub hierarchy is specified with -S the final
             directory is concatenated to flowdir/subdir.

     -C config
             Reads additional configuration parameters from config file.  sfcapd tries to read the config file
             from the install default path $prefix/etc/ which may be overwritten by the environment variable
             NFCONF , which again is overwritten by this option -C. If -C none is specified, then no config file
             is read, even if found in the search path.

     -p portnum
             Set the port number to listen. Default port is 9995

     -d interface
             Reads sflow data from an erspan encoded datalink. All traffic sent to this interface is interpreted
             as sflow data stream.

     -b bindhost
             Specifies the hostname/IPv4/IPv6 address to bind for listening. This can be an IP address or a
             hostname, resolving to a local IP address.

     -4      Forces sfcapd to listen on IPv4 addresses only. Can be used together with -b if a hostname has IPv4
             and IPv6 addresses.

     -6      Forces sfcapd to listen on IPv6 addresses only. Can be used together with -b if a hostname has IPv4
             and IPv6 addresses.

     -J mcastgroup
             Join the specified IPv4 or IPv6 multicast group for listening.

     -R host[/port]
             Enables the packet repeater. All incoming packets are sent additionally to another host and port.
             host is either a valid IPv4/IPv6 address, or a symbolic hostname, which resolves to a valid IP
             address.  port may be omitted and defaults to 9995. Note: As IPv4/IPv6 are accepted the host/port
             separator is '/'.  Up to 8 additional repeaters my be defined. Use this method to daisy chain
             collectors.

     -A      Sets source address spoofing mode for the repeater. The source address of the repeated packages is
             set to the original IP address. This needs sfcapd to be started with root privileges. Please note,
             that source spoofing may be blocked by firewalls or routers in your network.

     -I ident
             Sets ident as identification string for the current source. This string is written into the output
             file to identify the source. Default is 'none'. If you have multiple sources, see option -n below.

     -n ident,IP,flowdir
             Configures a netflow source identified by the string ident, IP flowdir If you have multiple sources
             per collector, add multiple -n options. All exporters send the flows to the same port -p.  Do not
             mix single source configuration -I with multiple -n options.

     -M flowdir
             Set the flow directory for dynamic allocated exporters. New exporters are dynamically added when
             sending data.  All exporters send netflow data to the same port and IP. For each dynamically added
             source, a new sub directory is created under flowdir with the name of the IP address of the
             exporter. All '.' and ':" in IP addresses are replaced be '-'.  -D Set daemon mode: fork to
             background and detach from terminal.  sfcapd terminates on signal TERM, INT or HUP.

     -P pidfile
             Writes the running process ID into pidfilw.  Use this option to integrate sfcapd in start/stop
             files.

     -u userid
             Drop privileges of running process to user userid.  sfcapd needs to be started as user root.

     -g groupid
             Drop privileges of running process to group groupid.  sfcapd needs to be started as user root.

     -B bufflen
             Sets the network socket input buffer to bufflen bytes. For high volume traffic it is recommended to
             raise this value to typically > 100k, otherwise you risk to lose packets. The default is OS (and
             kernel) dependent.

     -S num  Adds an additional directory sub hierarchy to store the data files. The default is 0, no sub
             hierarchy, which means all files go directly into flowdir.  The flowdir is concatenated with the
             specified sub hierarchy format to create the final data directory.  The following hierarchies are
             defined:
             0 default     no hierarchy levels
             1 %Y/%m/%d    year/month/day
             2 %Y/%m/%d/%H year/month/day/hour
             3 %Y/%W/%u    year/week_of_year/day_of_week
             4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
             5 %Y/%j       year/day-of-year
             6 %Y/%j/%H    year/day-of-year/hour
             7 %Y-%m-%d    year-month-day
             8 %Y-%m-%d/%H year-month-day/hour

     -t interval
             Sets the time interval in seconds to rotate files. The default value is 300s ( 5min ).  The
             smallest available interval is 2s.

     -z=lzo  Compress flow files with LZO1X-1 compression. Fastest compression.

     -z=bz2  Compress flow files with bz2 compression. Slow but most efficient. It is not recommended to use bz2
             in a real time capturing.

     -z=lz4[:level]
             Compress flow files with LZ4 compression. Fast and efficient. Optional level should be between
             1..10 Changing the level results in smaller files but uses up more time to compress. Levels > 5 may
             need more workers. See -W.

     -z=zstd[:level]
             Compress flow files with ZSTD compression. Fast and efficient. Optional level should be between
             1..10 Changing the level results in smaller files but uses up more time to compress. Levels > 5 may
             need more workers. See -W.

     -W num  Sets the number of workers to compress flows. Defaults to 4. Must not be greater than the number of
             cores online. Useful for higher levels of compression for lz4 or zstd and large amount of flows per
             second.

     -e      Sets auto-expire mode. At the end of every rotate interval -t sfcapd runs an expire cycle to delete
             files according to max lifetime and max filesize as defined by nfexpire(1)

     -x command
             At the end of every -t interval and after the file rotate has completed, sfcapd runs the command
             command.  The string for command may contain the following place holders, which are expanded before
             running:
             %f   File name of new data file including any sub hierarchy.
             %d   Top flowdir.  The full path of the new file is: %d/%f
             %t   Time slot string in ISO format e.g. 201107110845.
             %u   Time slot string in UNIX time format.
             %i   Identification string ident string supplied by -I

     -X extensionList
             extensionList is a ',' separated list of extensions to be stored by sfcapd.  The numbers correspond
             to the extension list in nfxV3.h. By default extensions are added dynamically to store all data
             sent by the exporter. If extensionList is given, only those elements matching the extension are
             processed and stored. Usually this option is not needed, unless for specific requirements.

     -m metricpath
             Enables the flow metric exporter. Flow metric information is sent to the UNIX socket metricpath at
             the rate specified by -i This option may by used to export flow metric information to other systems
             such as InfluxDB or Prometheus.  Please note: The flow metric does not include the full record.
             Only the flow statistics is sent.

     -i metricrate
             Sets the interval for the flow metric exporter. This interval may be different from the file
             rotation interval t and is therefore independent from file rotation.

     -v      Increase verbose level by 1. The verbose level may be increased for debugging purpose up to 3.

     -E      Equal to -v -v -v. Print netflow records in block format to stdout. Please note, that not all
             elements are printed, which are available in the flow record. To inspect all elements, use nfdump
             -o raw This option is for debugging purpose only, to verify if incoming netflow data is processed
             correctly.

     -V      Print sfcapd version and exit.

     -h      Print help text on stdout with all options and exit.

RETURN VALUES

     sfcapd returns 0 on success and 255 if initialization failed.

SEE ALSO

     http://sflow.org

     https://sflow.org/developers/licensing.php

     https://github.com/sflow/sflowtool

     nfdump(1) nfcapd(1) nfpcapd(1)

BUGS

     No software without bugs! Please report any bugs back to me.