nfpcapd - Man Page
pcap capture to netflow daemon
Synopsis
nfpcapd [options]
Description
nfpcapd is the pcap capture daemon of the nfdump tools. It reads network packets from an interface or from a file and directly creates nfdump records. Nfdump records are written either locally to a directory in the same format as nfcapd, or can be forwarded to a nfcapd collector somewhere else in the network. Nfpcapd is nfcapd's pcap brother and shares many options and generates the same type of files. nfpcapd likewise creates, rotates and stores files. See also nfpcap(1) for more information on common option.
nfpcapd optionally also stores pcap traffic data in separate files and uses the same rotation interval as for the netflow data. Storing pcap traffic data file is only possible locally.
nfpcapd is multithreaded and uses separate threads for packet, netflow and pcap processing.
Options
- -i interface
Listen on this interface in promisc mode for packet processing.
- -r file
Read and process packets from this file. This file is a pcap compatible file
- -s snaplen
Limit the snaplen on collected packets. The default is 1522 bytes. The snaplen needs to be large enough to process all required protocols. The snaplen must not be smaller than 54 bytes.
- -B cachesize
Sets the number of initial cache nodes required by the flow cache. By default the cache size is set to 512k nodes should be fine. If the cache runs out of nodes, new nodes are dynamically added.
- -e active,inactive
Sets the active and inactive flow expire values in s. The default is 300,60.
Active timeout: A flow gets flushed to disk after this period even if it is still active. As a rule of thumb, it should correspond with the -t rotation value, in order to reflect continuous traffic in the flow files.
Inactive timeout: A flow gets flushed to disk after being inactive for this number of seconds. It frees up node resources.
On busy networks these values can be set to more aggressive timeouts.- -I IdentString ( capital letter i )
Specifies an ident string, which describes the source e.g. the name of the interface or host. This string is put into the stat record to identify the source. Default is 'none'. Same is nfcapd(1)
- -l flowdir ( letter ell )
Specifies the base directory to store the flow files. If a sub hierarchy is specified with -S the final directory is concatenated to base_directory/sub_hierarchy.
- -p pcapdir
Store network packets in pcap compatible files in this directory and rotate files the same as the flow files. Sub hierarchy directories are applied likewise.
- -H <host[/port]>
Send nfdump records to a remote nfcapd collector. Default port is 9995.
- -S <num>
Allows to specify an additional directory sub hierarchy to store the data files. The default is 0, no sub hierarchy, which means the files go directly in the base directory (-l). The base directory (-l) is concatenated with the specified sub hierarchy format to form the final data directory. For a full list of hierarchies see nfcapd(1).
- -t interval
Specifies the time interval in seconds to rotate files. The default value is 300s ( 5min ). The smallest interval can be set to 2s. The intervals are in sync with wall clock.
- -P pidfile
Specify name of pidfile. Default is no pidfile.
- -D
Daemon mode: fork to background and detach from terminal. Nfpcapd terminates on signal TERM, INT and HUP.
- -d
De-duplicate packets with a window size of 4. This option is useful, if packets in a pcap file are duplicated for some unknown reason. If packets on multiple span ports are sent to the collector they got de-duplicated within the window size. Note: The de-duplication works on the IP layer to the end of the packet, which means layer 1 and VLAN/MPLS layers are stripped. If used together with -p, the resulting pcaps are de-duplicated as well.
- -E
Verbose flow printing. Print flows on stdout, when flushed to disk. Use verbose printing only for debugging purpose in order to see if your setup works. Running nfpcapd in verbose mode limits processing bandwidth!
- -u userid
Change to the user userid as soon as possible. Only root is allowed to use this option. Uid/Gid is switched after opening the reading device.
- -g groupid
Change to the group groupid as soon as possible. Only root is allowed use this option. Uid/Gid is switched after opening the reading device.
- -o option[,option]
Adds options to nfpcapd. Two options are available:
fat Add Mac addresses, optional Vlan and MPLS labels.
payload Add the payload bytes of the first packet of a connection.- -z=lzo
Compress flows. Use fast LZO1X-1 compression in output file.
- -z=bz2
Compress flows. Use bz2 compression in output file. Note: not recommended while collecting
- -z=lz4[:level]
Compress flows. Use LZ4 compression in output file.
- -z=zstd[:level]
Compress flows. Use zstd compression in output file.
- -W workers
Sets the number of workers to compress flows. Defaults to 4. Must not be greater than the number of cores online. Useful for higher levels of compression for lz4 or zstd and large amount of flows per second.
- -V
Print nfpcapd version and exit.
- -h
Print help text to stdout with all options and exit.
- '<filter>'
Optional pcap compatible packet filter. The filter needs to be put within quotes.
Return Value
Returns 0 on success, or 255 if initialization failed.
Logging
nfpcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON. For normal operation level 'error' should be fine. More information is reported at level 'info'.
A small statistic about the collected flows, as well as errors are reported at the end of every interval to syslog with level 'info'.
Examples
Read packets from interface eth0
nfpcapd -i eth0 -j -D -l /netflow/flows -S 2 -I any -P /var/run/nfpcapd.pid
Read packets from interface mx0 and store also packets in pcap files.
nfpcapd -i vmx0 -j -D -l /netflow/flows -p /netflow/caps
Send records to a remote host
nfpcapd -i eth1 -H 192.168.200.10/12344 -D -e 60,20
Notes
nfpcapd can store records either locally or send it to a remote host but not both at the same time.
If records are sent to a remote nfcapd process, both programs nfcapd and nfpcapd must be of the same endian architecture (both big or little endian). nfpcapd uses netflow version 240 for sending flows.
The flow cache is checked in regular 10s intervals and expires flows according to the expire values. Expired flows are flushed and processed and nodes are freed up.
A smaller snaplen may improve performance, but may result in loss of information. The smallest snaplen of 54 bytes can process regular TCP/UDP/ICMP packets. In case of Vlan or MPLS labels, not enough information may be available for correct protocol decoding. Nfdump records may be incomplete and and set to 0.
If IP packets are fragmented, they are reassembled before processing. All IP fragments need to be reassembled in order to be passed to the next stage. If not all fragments are correctly assembled within 15s since the first fragment arrived, all fragments are discarded.
See Also
Bugs
No software without bugs! Please report any bugs back to me.
Referenced By
nfcapd(1), nfdump(1), sfcapd(1).