Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
TRAFD(8)		    System Manager's Manual		      TRAFD(8)

NAME
       trafd	  -- ip	traffic	collector daemon.

       trafdump	  -- Script to dump current traffic to disk.
       trafsave	  -- Script to save current traffic to disk.
       trafstart  -- Startup script for	trafd.
       trafstop	  -- Shutgown script for trafd.
       trafd.sh	  -- Start/stop	script for trafd, placed to the	`local startup
		  directory' (*/rc.d).

SYNOPSIS
       trafd [-dOprVX] [-c count] [-i iface] [-f ext] [-F file | expr]

       trafdump	[All | iface [...]]
       trafsave	[All | iface [...]]
       trafstart [All |	iface [...]]
       trafstop	[All | iface [...]]
       trafd.sh	start |	stop

DESCRIPTION
       Trafd  daemon  listen  specified	interface and summ all ip packet sizes
       and sub-protocol	data frame length (tcp,	udp,  icmp,  igmp  and	other,
       listed  in /etc/protocols protocols(5), or, if sub-protocol unknown, ip
       data frame length).

       Trafd  use  Berkeley  Packet  Filter  mechanism:	  open	 pseudo-device
       /dev/bpf*  (see bpf(4)),	read from it all ip packets and	store into in-
       ternal table following information:
          source hostname or ip address
          source ip port name or number (not stored with -X option)
          destination hostname	or ip address
          destination ip port name or number (not stored with -X option)
          protocol name
          protocol data frame length
          ip packet length (this is ip	traffic	value)

       trafd store buffer to  `dump'  file  on	the  SIGHUP  signal  (used  in
       trafdump	script). Also it append	traffic	table to `save'	file and clear
       table where received the	SIGINT signal (this used in trafsave script).

       trafd  records its process ID in	the file /var/run/trafd.<iface>	to as-
       sist dumping, saving and	quitting.

   Usage
       Trafd is	full-blooded daemon. After run it self-detached	from  the  tty
       and running in background.

       Good  idea is using startup script for launch trafd in boot time.  This
       method  implemented  in	trafd.sh,  using  the  rc.d   mechanism	  (see
       /usr/local/etc/trafd.sh).

       Into  BPFT  programs  set  also	included  two  scripts:	 trafstart and
       trafstop	(see /usr/local/bin/trafstart and /usr/local/bin/trafstop).

   Logging
       trafd use the system logger daemon syslogd  (see	 syslogd(8))  for  the
       logging various information.

       Thus, it	use options LOG_PID for	log the	process	id and LOG_CONS	for if
       cannot pass the message to syslogd it will attempt to write the message
       to   console,  use  facility  `daemon'  and  levels  `info',  `notice',
       `warning' and `error'.  (Facility  defined  in  include/traffic.h,  see
       SYSLOG_FACILITY.)

       If you want additional information about	condition of your daemon, i.e.
       what  is	 it doing and how do it	do, then you should set	syslog message
       level in	your syslog.conf up to 'info'.

   Warnings and	recommendations.
       Before use of the trafd make sure that bpf support included into	kernel
       and device /dev/bpf0 (/dev/bpf1,	...) is	exist  (analogous  requrements
       to the tcpdump, see tcpdump(1)).

       You  must  launch  trafd	 from root or other user with writing right to
       /dev/bpf* devices.

       We recomend: more often invoke trafdump via cron	(see cron(8)) to avoid
       loss data as a result of	system crash and invoke	trafsave one  per  day
       (for  example, using periodic (see periodic(8)) or /etc/daily.local) to
       have log	file aligment by days. Log file	is  binary  file  with	little
       size, average size per day approximate to several kilobytes.

       Configure  syslogd  for	collect	trafd messages into /var/log/trafd.log
       (common for trafstart & other scripts), for example:
	     !trafd
	     *.*  /var/log/trafd.log

       After system crash (power drop &	etc) need remove PID file: insert into
       one of the startup scripts (usually rc.local) line like this:
	     rm	/var/run/trafd.ed1

OPTIONS
       -c count	   Collate count number	of packets and exit.

       -i iface	   Interface  name  to	listen.	  Current   supported	types:
		   ethernet,  slip,  ppp, loopback (see	details	in pcap(3) and
		   tcpdump(1) man pages). See also  "ENVIRONMENT"  section  of
		   this	man page.

       -f ext	   Specify  extension for traffic save & dump files (interface
		   name	by default).

       -d	   Print  compiled  packet-matching   code   and   exit	  (see
		   tcpdump(1) for details).

       -F file	   File	with packet filter expression.

       -m minsize  Minimal  record  summary  size for save into	file with col-
		   lected traffic  via	trafsave.  Records  with  values  less
		   minsize  in	the  'all' field summ to one and saved to last
		   record (for decrease	file size).   Default  value  is  1024
		   bytes.

       -O	   Turn	 off  the  packet-matching code	optimizer (see pcap(3)
		   for details).

       -p	   Don't put the interface into	promiscuous mode (don't	effect
		   to point-to point links, effected to	the ethernet).

       -r	   Attempt to resume data from dumped file if exist.

       -V	   Print version number	and exit.

       -X	   Use only ip information (don't store	 ports	and  protocol,
		   store ip data frame lenght in the `Data' field).

       expr	   Packet filter expression (see tcpdump(1) for	details).

EXIT STATUS
       1    Error (file	not found, permissions denied &	etc.)
       0    Normal program complete: daemon started.
       127  Illegal command line parameter(s).

SIGNALS
       SIGHUP	Backup collected traffic records into dump file.
       SIGINT	Append collected traffic records into save file.
       SIGTERM
       SIGQUIT	Backup traffic and exit.

ENVIRONMENT
       IFF_LISTEN  Set	the  name of the network interface for listen, same as
		   `-i iface' and -i overwrite it's value.

FILES
       /var/log/trafd.log
	    Log	file for trafstart, trafstop and trafd.sh

       /var/trafd/trafd.*
	    Files with saved traffic statistic tables (binary).

       /var/trafd/tmp/trafd.*
	    Files with traffic dumps (binary).

       /var/tmp/trafd.*
	    Sockets for	send data to  trafstatd	 &  etc.  This	files  may  be
	    deleted at boot-time tmp cleaning process

       /var/run/trafd.*
	    Trafd PID files

EXAMPLES
COMPATIBILITY
       Version 4.0 of the trafd	store traffic information in incompatible for-
       mat  with  previous  versions.  (Hoverer	if trafd compiled with #define
       LAYOUT=OLD then it use compatible with previous version format).

       Tested on: BSDI BSD/386 1.0  (BPFT  versions  1.0-2.0),	FreeBSD	 2.2.8
       (BPFT  version 2.0), FreeBSD 3.0	and above, FreeBSD 4.0 and above (BPFT
       version 3.0 and above).

       BPFT versions 3.*, 4.* work only	on FreeBSD 3.0 and above: requred  li-
       brary  pcap  (see  pcap(3))  don't  present in previous versions	of the
       FreeBSD.

SEE ALSO
       traflog(1), trafstatd(8), trafstat(1), trafshow(1), bpf(4).

AUTHORS
       Vladimir	Vorobyev <bob@turbo.nsk.su>
	     autor of the BPFT project,	versions 1.0..2.0
       Vitaly V. Belekhov <vitaly@riss-telecom.ru>
	     3.0 release
       Stas Degteff <g@grumbler.org>
	     4.0 release, man pages

BUGS
       If trafd	run on the slow, very busy computer or very  fast  ip  channel
       then it can't read all packets from kernel and some packets is dropped.
       Trafd  check  this  on  each  dump/save event and store dropped packets
       quantity	to log (if to sislog's then write on `error' level).

FreeBSD	ports 15.quarterly    September	11, 2001		      TRAFD(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=trafd&sektion=8&manpath=FreeBSD+Ports+15.0.quarterly>

home | help