nfpcapd - Man Page

nfpcapd [options]

nfpcapd is the pcap capture daemon of the nfdump tools. It reads network packets from an interface or from a file and directly creates nfdump records. Nfdump records are written either locally to a directory in  the same format as nfcapd, or can be forwarded to a nfcapd collector somewhere else in the network. Nfpcapd is nfcapd's pcap brother and shares many options and generates the same type of files. nfpcapd likewise creates, rotates and stores files. See also nfpcap(1) for more information on common option.

nfpcapd optionally also stores pcap traffic data in separate files and uses the same rotation interval as for the netflow data. Storing pcap  traffic data file is only possible locally.

nfpcapd is multithreaded and uses separate threads for packet, netflow and pcap processing.

-i interface

Listen on this interface in promisc mode for packet processing.

-r file

Read and process packets from this file. This file is a pcap compatible file

-s snaplen

Limit the snaplen on collected packets. The default is 1522 bytes. The snaplen needs to be large enough to process all required protocols. The snaplen must not be smaller than 54 bytes.

-B cachesize

Sets the number of initial cache nodes required by the flow cache. By default the cache size is set to 512k nodes should be fine. If the cache runs out of nodes, new nodes are dynamically added.

-e active,inactive

Sets the active and inactive flow expire values in s. The default is 300,60.
Active timeout: A flow gets flushed to disk after this period even if it is still active. As a rule of thumb, it should correspond with the -t rotation  value, in order to reflect continuous traffic in the flow files.
Inactive timeout: A flow gets flushed to disk after being inactive for this  number of seconds. It frees up node resources.
On busy networks these values can be set to more aggressive timeouts.

-I IdentString ( capital letter i )

Specifies an ident string, which describes the source e.g. the  name of the interface or host. This string is put into the stat record to identify the source. Default is 'none'. Same is nfcapd(1)

-l flowdir ( letter ell )

Specifies the base directory to store the flow files.  If a sub hierarchy is specified with -S the final directory is concatenated  to base_directory/sub_hierarchy.

-p pcapdir

Store network packets in pcap compatible files in this directory and rotate files the same as the flow files. Sub hierarchy directories are applied likewise.

-H <host[/port]>

Send nfdump records to a remote nfcapd collector. Default port is 9995.

-S <num>

Allows to specify an additional directory sub hierarchy to store  the data files. The default is 0, no sub hierarchy, which means the  files go directly in the base directory (-l). The base directory (-l) is concatenated with the specified sub hierarchy format to form the final  data directory.  For a full list of hierarchies see nfcapd(1).

-t interval

Specifies the time interval in seconds to rotate files. The default value  is 300s ( 5min ). The smallest interval can be set to 2s. The intervals are in sync  with wall clock.

-P pidfile

Specify name of pidfile. Default is no pidfile.

-D

Daemon mode: fork to background and detach from terminal. Nfpcapd terminates on signal TERM, INT and HUP.

-E

Verbose flow printing. Print flows on stdout, when flushed to disk. Use verbose printing only for debugging purpose in order to see if your setup works. Running nfpcapd in verbose mode limits processing bandwidth!

-u userid

Change to the user userid as soon as possible. Only root is allowed to use this option. Uid/Gid is switched after opening the reading device.

-g groupid

Change to the group groupid as soon as possible. Only root is allowed  use this option. Uid/Gid is switched after opening the reading device.

-o option[,option]

Adds options to nfpcapd. Two options are available:
fat     Add Mac addresses, optional Vlan and MPLS labels.
payload   Add the payload bytes of the first packet of a connection.

-z=lzo

Compress flows. Use fast LZO1X-1 compression in output file.

-z=lz4

Compress flows. Use LZ4 compression in output file.

-z=bz2

Compress flows. Use bz2 compression in output file. Note: not recommended while collecting

-V

Print nfpcapd version and exit.

-h

Print help text to stdout with all options and exit.

'<filter>'

Optional pcap compatible packet filter. The filter needs to be put within quotes.

Returns 0 on success, or 255 if initialization failed.

nfpcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON. For normal operation level 'error' should be fine.  More information is reported at level 'info'.

A small statistic about the collected flows, as well as errors are reported at the end of every interval to syslog with level 'info'.

Read packets from interface eth0

Read packets from interface mx0 and store also packets in pcap files.

Send records to a remote host

nfpcapd can store records either locally or send it to a remote host but not both at the same time.
If records are sent to a remote nfcapd process, both programs nfcapd and nfpcapd must be of the same endian architecture (both big or little endian). nfpcapd uses netflow version 240 for sending flows.

The flow cache is checked in regular 10s intervals and expires flows according to the expire values. Expired flows are flushed and processed and nodes are freed up.

A smaller snaplen may improve performance, but may result in loss of information.  The smallest snaplen of 54 bytes can process regular TCP/UDP/ICMP packets. In case  of Vlan or MPLS labels, not enough information may be available for correct protocol decoding. Nfdump records may be incomplete and and set to 0.

If IP packets are fragmented, they are reassembled before processing. All IP fragments need to be reassembled in order to be passed to the next stage. If not all  fragments are correctly assembled within 15s since the first fragment arrived, all  fragments are discarded.

nfcapd(1), nfdump(1), nfexpire(1)

No software without bugs! Please report any bugs back to me.

nfcapd(1), nfdump(1), sfcapd(1).