nfpcapd - Man Page

pcap capture to netflow daemon

Synopsis

nfpcapd [options]

Description

nfpcapd is the pcap capture daemon of the nfdump tools. It reads network packets from an interface or from a file and directly creates nfdump records. Nfdump records are written either locally to a directory in  the same format as nfcapd, or can be forwarded to a nfcapd collector somwhere else in the network. Nfpcapd is nfcapd's pcap brother and shares many options and generates the same type of files. nfpcapd likewise creates, rotates and stores files. See also nfpcap(1) for more information on common option.

nfpcapd optionally also stores pcap traffic data in separate files and uses the same rotation interval as for the netflow data. Storing pcap  traffic data file is only possible locally.

nfpcapd is multithreaded and uses separate threads for packet, netflow and pcap processing.

Options

-i interface

Listen on this interface in promisc mode for packet processing.

-r file

Read and process packets from this file. This file is a pcap compatible file

-s snaplen

Limit the snaplen on collected packets. The default is 1522 bytes. The snaplen needs to be large enough to process all required protocols. The snaplen must not be smaller than 54 bytes.

-B cachesize

Sets the number of initial cache nodes required by the flow cache. By default the cache size is set to 512k nodes should be fine. If the cache runs out of nodes, new nodes are dynamically added.

-e active,inactive

Sets the active and inactive flow expire values in s. The default ist 300,60.
Active timeout: A flow gets flushed to disk after this period even if it is still active. As a rule of thumb, it should correspond with the -t rotation  value, in order to reflect continous traffic in the flow files.
Inactive timeout: A flow gets flushed to disk after being inactive for this  number of seconds. It frees up node recources.
On busy networks these values can be set to more aggressive timeouts.

-I IdentString ( capital letter i )

Specifies an ident string, which describes the source e.g. the  name of the interface or host. This string is put into the stat record to identify the source. Default is 'none'. Same is nfcapd(1)

-l flowdir ( letter ell )

Specifies the base directory to store the flow files.  If a sub hierarchy is specified with -S the final directory is concatenated  to base_directory/sub_hierarchy.

-p pcapdir

Store network packets in pcap compatible files in this directory and rotate files the same as the flow files. Sub hierarchy directories are applied likewise.

-H <host[/port]>

Send nfdump records to a remote nfcapd collector. Default port is 9995.

-S <num>

Allows to specify an additional directory sub hierarchy to store  the data files. The default is 0, no sub hierarchy, which means the  files go directly in the base directory (-l). The base directory (-l) is concatenated with the specified sub hierarchy format to form the final  data directory.  For a full list of hierarchies see nfcapd(1).

-t interval

Specifies the time interval in seconds to rotate files. The default value  is 300s ( 5min ). The smallest interval can be set to 2s. The intervalls are in sync  with wall clock.

-P pidfile

Specify name of pidfile. Default is no pidfile.

-D

Daemon mode: fork to background and detach from terminal. Nfpcapd terminates on signal TERM, INT and HUP.

-E

Verbose flow printing. Print flows on stdout, when flushed to disk. Use verbose printing only for debugging purpose in oder to see if your setup works. Running nfpcapd in verbose mode limits processing bandwith!

-u userid

Change to the user userid as soon as possible. Only root is allowed to use this option. Uid/Gid is switched after opening the reading device.

-g groupid

Change to the group groupid as soon as possible. Only root is allowed  use this option. Uid/Gid is switched after opening the reading device.

-o option[,option]

Adds options to nfpcapd. Two options are available:
fat     Add Mac addresses, optional Vlan and MPLS labels.
payload   Add the payload bytes of the first packet of a connection.

-j

Compress flows. Use bz2 compression in output file. Note: not recommended while collecting

-y

Compress flows. Use LZ4 compression in output file.

-z

Compress flows. Use fast LZO1X-1 compression in output file.

-V

Print nfpcapd version and exit.

-h

Print help text to stdout with all options and exit.

'<filter>'

Optional pcap compatible packet filter. The filter needs to be put within quotes.

Return Value

Returns 0 on success, or 255 if initialization failed.

Logging

nfpcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON. For normal operation level 'error' should be fine.  More information is reported at level 'info'.

A small statistic about the collected flows, as well as errors are reported at the end of every interval to syslog with level 'info'.

Examples

Read packets from interface eth0

nfpcapd -i eth0 -j -D -l /netflow/flows -S 2 -I any -P /var/run/nfpcapd.pid

Read packets from interface mx0 and store also packets in pcap files.

nfpcapd -i vmx0 -j -D -l /netflow/flows -p /netflow/caps

Send records to a remote host

nfpcapd -i eth1 -H 192.168.200.10/12344 -D -e 60,20

Notes

nfpcapd can store records either locally or send it to a remote host but not both at the same time.
If records are sent to a remote nfcapd process, both programs nfcapd and nfpcapd must be of the same endian architecture (both big or little endian). nfpcapd uses netflow version 240 for sending flows.

The flow cache is checked in regular 10s intervalls and expires flows according to the expire values. Expired flows are flushed and processed and nodes are freed up.

A smaller snaplen may improve performance, but may result in loss of information.  The smallest snaplen of 54 bytes can process regular TCP/UDP/ICMP packets. In case  of Vlan or MPLS labels, not enough information may be abailable for correct protocol decoding. Nfdump records may be incomplete and and set to 0.

If IP packets are fragmented, they are reassembled before processing. All IP fragments need to be reassembled in order to be passed to the next stage. If not all  fragments are correctly assembled withing 15s since the first fragment arrived, all  fragments are discarded.

See Also

nfcapd(1), nfdump(1), nfexpire(1)

Bugs

No software without bugs! Please report any bugs back to me.

Referenced By

nfcapd(1), nfdump(1), sfcapd(1).

2021-05-23