NAME
sfcapd - sflow capture daemon
SYNOPSIS
sfcapd [options]
DESCRIPTION
sfcapd is the sflow capture daemon of the nfdump tools. It reads sflow
data from the network and stores it into nfcapd compatible files. The
output file is automatically rotated and renamed every n minutes -
typically 5 min - according the timestamp YYYYMMddhhmm of the interval
e.g. nfcapd.200407110845 contains the data from July 11th 2004 08:45
onward. sfcapd supports sFlow version 4 and 5 datagrams.
Sflow is an industry standard developed by InMon Corporation. For more
information see http://sflow.org.
OPTIONS
-p portnum
Specifies the port number to listen. Default port is 6343
-b bindhost
Specifies the hostname/IPv4/IPv6 address to bind for listening. Can
be an IP address or a hostname, resolving to an IP address attached
to an interface. Defaults to any available IPv4 interface, if not
specified.
-4 Forces sfcapd to listen on IPv4 addresses only. Can be used together
with -b if a hostname has an IPv4 and IPv6 address record. Depending
on the socket implementation -6 also accepts IPv4 data.
-6 Forces sfcapd to listen on IPv6 addresses only. Can be used together
with -b if a hostname has an IPv4 and IPv6 address record.
-j MulticastGroup
Join the specified IPv6 or IPv6 multicast group for listening.
-R host[/port}
Enable packet repeater. Send all incoming packets to another host
and port. host is either a valid IPv4/IPv6 address, or a valid
simbolic hostname, which resolves to a IPv6 or IPv4 address. port
may be ommited and defaults to port 6343. Note: Due to IPv4/IPv6
accepted addresses the port separator is ’/’.
-I IdentString ( capital letter i )
Specifies an ident string, which describes the source e.g. the name
of the router. This string is put into the stat record to identify
the source. Default is ’none’. This is for compatibility with nfdump
1.5.x and used to specify a single sflow source. See -n
-l base_directory ( letter ell )
Specifies the base directory to store the output files. If a sub
hierarchy is specified with -S the final directory is concatenated
to base_directory/sub_hierarchy. This is for compatibility with
nfdump 1.5.x and used to specify a single sflow source. See -n
-n <Ident,IP,base_directory>
Configures an sflow source named Ident and identified by source IP
address IP. The base directory for the flow files is
base_directory. If a sub hierarchy is specified with -S the final
directory is concatenated to base_directory/sub_hierarchy. Multiple
netflow sources can be specified. All data is sent to the same port
specified by -p. Note: You must not mix -n option with -I and -l.
Use either syntax.
-f <pcap_file>
Read sflow packets from a give pcap_file instead of the network.
This requires sfcapd to be compiled with the pcap option and is
intended for debugging only.
-S <num>
Allows to specify an additional directory sub hierarchy to store the
data files. The default is 0, no sub hierarchy, which means the
files go directly in the base directory (-l). The base directory
(-l) is concatenated with the specified sub hierarchy format to form
the final data directory. The following hierarchies are defined:
0 default no hierarchy levels
1 %Y/%m/%d year/month/day
2 %Y/%m/%d/%H year/month/day/hour
3 %Y/%W/%u year/week_of_year/day_of_week
4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
5 %Y/%W/%u year/week_of_year/day_of_week
6 %Y/%W/%u/%H year/week_of_year/day_of_week/hour
7 %Y/%j year/day-of-year
8 %Y/%j/%H year/day-of-year/hour
9 %Y-%m-%d year-month-day
10 %Y-%m-%d/%H year-month-day/hour
-T <extension list>
Specifies the list of extensions, to be stored in the flow file.
Regardless of the extension list, the following sflow data is stored
per record: first, last, fwd status, tcp flags, proto, (src)tos, src
port, dst port, src ipaddr, dst ipaddr, in(packets), in(bytes). In
addition sfcapd recognises the extensions as described below.
Extensions:
sflow extensions:
1 input/output interface SNMP numbers.
2 src/dst AS numbers.
3 src/dst mask, (dst)TOS, direction,
4 Next hop IP addr
5 BGP next hop IP addr
6 src/dst vlan id labels
10 in_src/out_dst MAC address
By default extension 1 and 2 are selected, which provides
compatibility with earlier nfdump version. Extensions can be
added/deleted by specifying a ’,’ separated list of extension ids.
Each id may be prepended by an optional sign +/- to add or remove a
given id from the extension list. The string ’all’ means all
extensions. Extensions 7-9 are not available for sfcapd.
Examples:
-T all Enables all possible extensions.
-T +3,+4 Adds extensions 3 and 4 to the defaults 1 and 2.
-T all,-5,-6 Set all extensions but 5 and 6
-T -1,4 Removes default extension 1 and adds extension 4
Note: Extensions are shared with the netflow collector nfcapd.
Sflow as well as netflow data is stored in the same type of
extensions.
-t interval
Specifies the time interval in seconds to rotate files. The default
value is 300s ( 5min ).
-w Align file rotation with next n minute ( specified by -t ) interval.
Example: If interval is 5 min, sync at 0,5,10... wall clock minutes
Default: no alignment.
-x cmd
Run command cmd at the end of every interval, when a new file
becomes available. The following command expansion is available:
%f Replaced by the file name e.g nfcapd.200407110845 inluding any
sub hierarchy. ( 2004/07/11/nfcapd.200407110845 )
%d Replaced by the directory where the file is located.
%t Replaced by the time ISO format e.g. 200407110845.
%u Replaced by the UNIX time format.
%i Replaced ident string given by -I
-e Auto expire files at every cycle. max lifetime and max filesize are
defined using nfexpire(1)
-P pidfile
Specify name of pidfile. Default is no pidfile.
-D Daemon mode: fork to background and detach from terminal. Nfcapd
terminates on signal TERM, INT and HUP.
-u userid
Change to the user userid as soon as possible. Only root is allowed
to use this option.
-g groupid
Change to the group groupid as soon as possible. Only root is
allowed use this option.
-B bufflen
Specifies the socket input buffer length in bytes. For high volume
traffic ( near GB traffic ) it is recommended to set this value as
high as possible ( typically > 100k ), otherwise you risk to lose
packets. The default is OS ( and kernel ) dependent.
-E Print data records in nfdump raw format to stdout. This option is
for debugging purpose only, to see how incoming sflow data is
processed and stored.
-z Compress flows. Use fast LZO1X-1 compression in output file.
-V Print sfcapd version and exit.
-h Print help text to stdout with all options and exit.
RETURN VALUE
Returns 0 on success, or 255 if initialization failed.
LOGGING
sfcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON For normal
operation level ’warning’ should be fine. More information is reported
at level ’info’ and ’debug’.
A small statistic about the collected flows, as well as errors are
reported at the end of every interval to syslog with level ’info’.
EXAMPLES
Compatible with old sfcapd 1.5.x:
sfcapd -w -D -l /data/spool/router1 -p 6343 -B 128000 -I router1
-x ’/path/some_app -r %d/%f’ -P /var/run/sfcapd/sfcapd.router1
Selectively enabled sender:
sfcapd -Tall -w -D -n router1,192.168.1.10,/data/spool/router1
-p 6343 -B 128000 -P /var/run/sfcapd/sfcapd.router1
NOTES
sfcapd automatically scales the packets and bytes according the
sampling rate.
Even with sflow version 4 and 5 support, not all available sflow
elements are stored in the data files. As of this version, sfcpad
supports the the same shared fields as extensions, as it’s netflow
companion nfcapd for netflow version v9. See nfcapd(1). More fields
will be supported in future.
The format of the data files is version independent and compatible
nfcapd collected data.
Socket buffer: Setting the socket buffer size is system dependent.
When starting up, sfcapd returns the number of bytes the buffer was
actually set. This is done by reading back the buffer size and may
differ from what you requested.
SEE ALSO
nfcapd(1), nfdump(1), nfprofile(1), nfreplay(1)
2009-09-09 sfcapd(1)