Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
nfpcapd(1)							    nfpcapd(1)

NAME
       nfpcapd - pcap capture to netflow daemon

SYNOPSIS

       nfpcapd [options]

DESCRIPTION
       nfpcapd	is  the	pcap capture daemon of the nfdump tools. It reads net-
       work packets from an interface or from a	file and directly creates  nf-
       dump  records. Nfdump records are written either	locally	to a directory
       in the same format as nfcapd, or	can be forwarded to a nfcapd collector
       somewhere else in the network. Nfpcapd is  nfcapd's  pcap  brother  and
       shares many options and generates the same type of files. nfpcapd like-
       wise creates, rotates and stores	files. See also	nfpcap(1) for more in-
       formation on common option.

       nfpcapd	optionally also	stores pcap traffic data in separate files and
       uses the	same rotation interval as for the netflow data.	 Storing  pcap
       traffic data file is only possible locally.

       nfpcapd	is multithreaded and uses separate threads for packet, netflow
       and pcap	processing.

OPTIONS
       -i interface
	  Listen on this interface in promisc mode for packet processing.

       -r file
	  Read and process packets from	this file. This	file is	a pcap compat-
	  ible file

       -s snaplen
	  Limit	the snaplen on collected packets. The default is  1522	bytes.
	  The  snaplen needs to	be large enough	to process all required	proto-
	  cols.	The snaplen must not be	smaller	than 54	bytes.

       -B cachesize
	  Sets the number of initial cache nodes required by the  flow	cache.
	  By  default  the  cache size is set to 512k nodes should be fine. If
	  the cache runs out of	nodes, new nodes are dynamically added.

       -e active,inactive
	  Sets the active and inactive flow expire values in s.	The default is
	  300,60.
	  Active timeout: A flow gets flushed to disk after this  period  even
	  if it	is still active. As a rule of thumb, it	should correspond with
	  the -t rotation value, in order to reflect continuous	traffic	in the
	  flow files.
	  Inactive  timeout:  A	flow gets flushed to disk after	being inactive
	  for this number of seconds. It frees up node resources.
	  On busy networks these values	can be set to  more  aggressive	 time-
	  outs.

       -I IdentString (	capital	letter i )
	  Specifies  an	ident string, which describes the source e.g. the name
	  of the interface or host. This string	is put into the	stat record to
	  identify the source. Default is 'none'. Same is nfcapd(1)

       -l flowdir ( letter ell )
	  Specifies the	base directory to store	the flow files.	 If a sub  hi-
	  erarchy  is specified	with -S	the final directory is concatenated to
	  base_directory/sub_hierarchy.

       -p pcapdir
	  Store	network	packets	in pcap	compatible files in this directory and
	  rotate files the same	as the flow files. Sub	hierarchy  directories
	  are applied likewise.

       -H <host[/port]>
	  Send	nfdump	records	 to a remote nfcapd collector. Default port is
	  9995.

       -S <num>
	  Allows to specify an additional directory sub	hierarchy to store the
	  data files. The default is 0,	no  sub	 hierarchy,  which  means  the
	  files	 go  directly  in  the base directory (-l). The	base directory
	  (-l) is concatenated with the	specified sub hierarchy	format to form
	  the final data directory.  For a full	list of	 hierarchies  see  nf-
	  capd(1).

       -t interval
	  Specifies  the time interval in seconds to rotate files. The default
	  value	is 300s	( 5min ). The smallest interval	can be set to 2s.  The
	  intervals are	in sync	with wall clock.

       -P pidfile
	  Specify name of pidfile. Default is no pidfile.

       -D Daemon  mode:	 fork to background and	detach from terminal.  Nfpcapd
	  terminates on	signal TERM, INT and HUP.

       -E Verbose flow printing. Print flows on	stdout,	when flushed to	 disk.
	  Use  verbose	printing only for debugging purpose in order to	see if
	  your setup works. Running nfpcapd in verbose mode limits  processing
	  bandwidth!

       -u userid
	  Change  to the user userid as	soon as	possible. Only root is allowed
	  to use this option. Uid/Gid is switched after	 opening  the  reading
	  device.

       -g groupid
	  Change  to  the  group groupid as soon as possible. Only root	is al-
	  lowed	use this option. Uid/Gid is switched after opening the reading
	  device.

       -o option[,option]
	  Adds options to nfpcapd. Two options are available:
	  fat	    Add	Mac addresses, optional	Vlan and MPLS labels.
	  payload   Add	the payload bytes of the first packet of a connection.

       -z=lzo
	  Compress flows. Use fast LZO1X-1 compression in output file.

       -z=bz2
	  Compress flows. Use bz2 compression in output	file. Note: not	recom-
	  mended while collecting

       -z=lz4[:level]
	  Compress flows. Use LZ4 compression in output	file.

       -z=zstd[:level]
	  Compress flows. Use zstd compression in output file.

       -W workers
	  Sets the number of workers to	compress flows.	Defaults  to  4.  Must
	  not  be  greater  than the number of cores online. Useful for	higher
	  levels of compression	for lz4	or zstd	and large amount of flows  per
	  second.

       -V Print	nfpcapd	version	and exit.

       -h Print	help text to stdout with all options and exit.

       '<filter>'
	  Optional  pcap  compatible packet filter. The	filter needs to	be put
	  within quotes.

RETURN VALUE
       Returns 0 on success, or	255 if initialization failed.

LOGGING
       nfpcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON.	For normal op-
       eration level 'error' should be fine.  More information is reported  at
       level 'info'.

       A  small	statistic about	the collected flows, as	well as	errors are re-
       ported at the end of every interval to syslog with level	'info'.

EXAMPLES
       Read packets from interface eth0
	      nfpcapd -i  eth0	-j  -D	-l  /netflow/flows  -S	2  -I  any  -P
	      /var/run/nfpcapd.pid

       Read packets from interface mx0 and store also packets in pcap files.
	      nfpcapd -i vmx0 -j -D -l /netflow/flows -p /netflow/caps

       Send records to a remote	host
	      nfpcapd -i eth1 -H 192.168.200.10/12344 -D -e 60,20

NOTES
       nfpcapd	can  store  records either locally or send it to a remote host
       but not both at the same	time.
       If records are sent to a	remote nfcapd process,	both  programs	nfcapd
       and nfpcapd must	be of the same endian architecture (both big or	little
       endian).	nfpcapd	uses netflow version 240 for sending flows.

       The  flow  cache	 is checked in regular 10s intervals and expires flows
       according to the	expire values. Expired flows are flushed and processed
       and nodes are freed up.

       A smaller snaplen may improve performance, but may result  in  loss  of
       information.   The  smallest  snaplen  of  54 bytes can process regular
       TCP/UDP/ICMP packets. In	case of	Vlan or	MPLS labels, not enough	infor-
       mation may be available for correct protocol decoding.  Nfdump  records
       may be incomplete and and set to	0.

       If  IP  packets are fragmented, they are	reassembled before processing.
       All IP fragments	need to	be reassembled in order	to be  passed  to  the
       next  stage.  If	 not  all fragments are	correctly assembled within 15s
       since the first fragment	arrived, all fragments are discarded.

SEE ALSO
       nfcapd(1), nfdump(1), nfexpire(1)

BUGS
       No software without bugs! Please	report any bugs	back to	me.

				  2023-05-23			    nfpcapd(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=nfpcapd&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help