Man Linux: Main Page and Category List

flow-capture(1)                                                flow-capture(1)

NAME

       flow-capture  —  Manage  storage  of flow file archives by expiring old
       data.

SYNOPSIS

       flow-capture [-hu]  [-b big|little]  [-C  comment]   [-c  flow_clients]
       [-d  debug_level]  [-D daemonize]  [-e expire_count]  [-f filter_fname]
       [-F  filter_definition]   [-E   expire_size]    [-n   rotations]    [-N
       nesting_level]   [-p  pidfile]  [-R rotate_program]  [-S stat_interval]
       [-t  tag_fname]    [-T   active_def|active_def,active_def   ...]    [-V
       pdu_version]    [-z   z_level]   -w   workdir   [-x  xlate_fname]   [-X
       xlate_definition] localip/remoteip/port

DESCRIPTION

       The flow-capture utility will receive  and  store  NetFlow  exports  to
       disk.  The flow files are rotated rotationstimes per day and expiration
       of old flow files can be configured by number of files or  total  space
       utilization.   Files are stored in workdir and can optionally be stored
       in additional levels of directories.  Active  files  created  by  flow-
       capture begin with ’tmp’.  Files that are complete begin with ’ft’.

       When  the  remoteip is configured only flows from that exporter will be
       processed, this is the most secure and recommended configuration.  When
       the  localip is configured flow-capture will only process flows sent to
       the  localip IP address.  If remoteip is 0 (not configured) flows  from
       any  source  IP  address  are  accepted.   Multiple  non aggregated PDU
       versions may be accepted at  once  to  support  Cisco’s  Catalyst  6500
       NetFlow  implementation which exports from both the supervisor and MSFC
       with the same IP address and same port but different  export  versions.
       In  this  case  the  exports  will be stored in the format specified by
       pdu_version or whichever export type is received first.

       NetFlow exports are UDP and do  not  employ  congestion  control  or  a
       retransmission  mechanism.  If the server flow-capture is configured on
       is too busy, or the network is congested or lossy NetFlow exports  will
       be  lost.  An estimate of lost flows is recorded in the flow files, and
       logged via syslog.  Most  servers  will  provide  a  count  of  dropped
       packets  due  to  full  socket  buffers  via  the netstat utility.  For
       example netstat -s | grep full will provide  a  count  of  UDP  packets
       dropped due to full socket buffers.  If this is a persistent occurrence
       either flow-capture will need a larger server or the compression  level
       should be decreased with -z.

       A  SIGHUP  signal will cause flow-capture to close the current file and
       create a new one.

       A SIGQUIT or SIGTERM  signal  will  cause  flow-capture  to  close  the
       current file and exit.

OPTIONS

       -b big|little
                 Byte order of output.

       -c flow_clients
                 Enable  flow_clients  TCP clients.  When libwrap is available
                 the client must be in a permit list  for  the  service  flow-
                 capture-client.

       -C Comment
                 Add a comment.

       -d debug_level
                 Enable debugging.

       -e expire_count
                 Retain  the  maximum  number  of files so that the total file
                 count is less than  expire_count.   Defaults  to  0  (do  not
                 expire).

       -E expire_size
                 Retain  the maximum number of files so that the total storage
                 is less than expire_size.  The letters b,K,M,G can be used as
                 multipliers,  ie  16  Megabytes is 16M.  Default to 0 (do not
                 expire).

       -f filter_fname
                 Filter    list    filename.     Defaults    to     /etc/flow-
                 tools/cfg/filter.

       -F filter_definition
                 Select the active definition.  Defaults to default.

       -h        Display help.

       -n rotations
                 Configure  the number of times flow-capture will create a new
                 file per day.  The default is 95, or every 15 minutes.

       -N nesting_level
                 Configure the nesting level  for  storing  flow  files.   The
                 default is 0.
                    -3    YYYY/YYYY-MM/YYYY-MM-DD/flow-file
                    -2    YYYY-MM/YYYY-MM-DD/flow-file
                    -1    YYYY-MM-DD/flow-file
                     0    flow-file
                     1    YYYY/flow-file
                     2    YYYY/YYYY-MM/flow-file
                     3    YYYY/YYYY-MM/YYYY-MM-DD/flow-file

       -p pidfile
                 Configure  the  process  ID  file.  Use - to disable pid file
                 creation.

       -R rotate_program
                 Execute rotate_program with the first argument  as  the  flow
                 file name after rotating it.

       -S stat_interval
                 When  configured  flow-capture will log a timestamped message
                 every stat_interval minutes indicating counters such  as  the
                 number  of flows received, packets processed, and lost flows.

       -t tag_fname
                 Load tags from tag_name

       -T active_def|active_def,active_def...
                 Use active_def as the active tag definition(s).

       -u        Preserve inherited umask.  By default the umask will  be  set
                 to 0022.

       -V pdu_version
                 Use pdu_version format output.

           1    NetFlow version 1 (No sequence numbers, AS, or mask)
           5    NetFlow version 5
           6    NetFlow version 6 (5+ Encapsulation size)
           7    NetFlow version 7 (Catalyst switches)
           8.1  NetFlow AS Aggregation
           8.2  NetFlow Proto Port Aggregation
           8.3  NetFlow Source Prefix Aggregation
           8.4  NetFlow Destination Prefix Aggregation
           8.5  NetFlow Prefix Aggregation
           8.6  NetFlow Destination (Catalyst switches)
           8.7  NetFlow Source Destination (Catalyst switches)
           8.8  NetFlow Full Flow (Catalyst switches)
           8.9  NetFlow ToS AS Aggregation
           8.10 NetFlow ToS Proto Port Aggregation
           8.11 NetFlow ToS Source Prefix Aggregation
           8.12 NetFlow ToS Destination Prefix Aggregation
           8.13 NetFlow ToS Prefix Aggregation
           8.14 NetFlow ToS Prefix Port Aggregation
           1005 Flow-Tools tagged version 5

       -w workdir
                 Work in workdir.

       -x xlate_fname
                 Translation   config   file  name.   Defaults  to  /etc/flow-
                 tools/cfg/xlate.c fg

       -X xlate_definition
                 Translation definition.  Defaults to default.

       -z z_level
                 Configure compression level to  z_level.  0 is  disabled  (no
                 compression), 9 is highest compression.

EXAMPLES

       Receive  flows  from  the  exporter  at 10.0.0.1 port 9800.  Maintain 5
       Gigabytes  of  flow  files  in  /flows/krc4.   Mask  the   source   and
       destination   IP   addresses   contained   in  the  flow  exports  with
       255.255.248.0.

         flow-capture -w /flows/krc4 -m 255.255.248.0 -E5G 0/10.0.0.1/9800

       Receive flows from any exporter on port 9800.  Do not perform any  flow
       file  space management.  Store the exports in /flows/krc4.  Emit a stat
       log message every 5 minutes.

         flow-capture -w /flows/krc4 0/0/9800 -S5

BUGS

       Empty directories are not removed.

FILES

         Configuration files:
           Tag - /etc/flow-tools/cfg/tag.cfg.
           Filter - /etc/flow-tools/cfg/filter.cfg.
           Xlate - /etc/flow-tools/cfg/xlate.cfg.

AUTHOR

       Mark Fullmer maf@splintered.net

SEE ALSO

       flow-tools(1)

                                                               flow-capture(1)