DOKK / manpages / debian 12 / nfdump / nfpcapd.1.en
nfpcapd(1) nfpcapd(1)

nfpcapd - pcap capture to netflow daemon

nfpcapd [options]

nfpcapd is the pcap capture daemon of the nfdump tools. It reads network packets from an interface or from a file and directly creates nfdump records. Nfdump records are written either locally to a directory in the same format as nfcapd, or can be forwarded to a nfcapd collector somwhere else in the network. Nfpcapd is nfcapd's pcap brother and shares many options and generates the same type of files. nfpcapd likewise creates, rotates and stores files. See also nfpcap(1) for more information on common option.

nfpcapd optionally also stores pcap traffic data in separate files and uses the same rotation interval as for the netflow data. Storing pcap traffic data file is only possible locally.

nfpcapd is multithreaded and uses separate threads for packet, netflow and pcap processing.

Listen on this interface in promisc mode for packet processing.
Read and process packets from this file. This file is a pcap compatible file
Limit the snaplen on collected packets. The default is 1522 bytes. The snaplen needs to be large enough to process all required protocols. The snaplen must not be smaller than 54 bytes.
Sets the number of initial cache nodes required by the flow cache. By default the cache size is set to 512k nodes should be fine. If the cache runs out of nodes, new nodes are dynamically added.
Sets the active and inactive flow expire values in s. The default ist 300,60.
Active timeout: A flow gets flushed to disk after this period even if it is still active. As a rule of thumb, it should correspond with the -t rotation value, in order to reflect continous traffic in the flow files.
Inactive timeout: A flow gets flushed to disk after being inactive for this number of seconds. It frees up node recources.
On busy networks these values can be set to more aggressive timeouts.
Specifies an ident string, which describes the source e.g. the name of the interface or host. This string is put into the stat record to identify the source. Default is 'none'. Same is nfcapd(1)
Specifies the base directory to store the flow files. If a sub hierarchy is specified with -S the final directory is concatenated to base_directory/sub_hierarchy.
Store network packets in pcap compatible files in this directory and rotate files the same as the flow files. Sub hierarchy directories are applied likewise.
Send nfdump records to a remote nfcapd collector. Default port is 9995.
Allows to specify an additional directory sub hierarchy to store the data files. The default is 0, no sub hierarchy, which means the files go directly in the base directory (-l). The base directory (-l) is concatenated with the specified sub hierarchy format to form the final data directory. For a full list of hierarchies see nfcapd(1).
Specifies the time interval in seconds to rotate files. The default value is 300s ( 5min ). The smallest interval can be set to 2s. The intervalls are in sync with wall clock.
Specify name of pidfile. Default is no pidfile.
Daemon mode: fork to background and detach from terminal. Nfpcapd terminates on signal TERM, INT and HUP.
Verbose flow printing. Print flows on stdout, when flushed to disk. Use verbose printing only for debugging purpose in oder to see if your setup works. Running nfpcapd in verbose mode limits processing bandwith!
Change to the user userid as soon as possible. Only root is allowed to use this option. Uid/Gid is switched after opening the reading device.
Change to the group groupid as soon as possible. Only root is allowed use this option. Uid/Gid is switched after opening the reading device.
Adds options to nfpcapd. Two options are available:
fat Add Mac addresses, optional Vlan and MPLS labels.
payload Add the payload bytes of the first packet of a connection.
Compress flows. Use bz2 compression in output file. Note: not recommended while collecting
Compress flows. Use LZ4 compression in output file.
Compress flows. Use fast LZO1X-1 compression in output file.
Print nfpcapd version and exit.
Print help text to stdout with all options and exit.
'<filter>'
Optional pcap compatible packet filter. The filter needs to be put within quotes.

Returns 0 on success, or 255 if initialization failed.

nfpcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON. For normal operation level 'error' should be fine. More information is reported at level 'info'.

A small statistic about the collected flows, as well as errors are reported at the end of every interval to syslog with level 'info'.

Read packets from interface eth0

nfpcapd -i eth0 -j -D -l /netflow/flows -S 2 -I any -P /var/run/nfpcapd.pid

Read packets from interface mx0 and store also packets in pcap files.

nfpcapd -i vmx0 -j -D -l /netflow/flows -p /netflow/caps

Send records to a remote host

nfpcapd -i eth1 -H 192.168.200.10/12344 -D -e 60,20

nfpcapd can store records either locally or send it to a remote host but not both at the same time.
If records are sent to a remote nfcapd process, both programs nfcapd and nfpcapd must be of the same endian architecture (both big or little endian). nfpcapd uses netflow version 240 for sending flows.

The flow cache is checked in regular 10s intervalls and expires flows according to the expire values. Expired flows are flushed and processed and nodes are freed up.

A smaller snaplen may improve performance, but may result in loss of information. The smallest snaplen of 54 bytes can process regular TCP/UDP/ICMP packets. In case of Vlan or MPLS labels, not enough information may be abailable for correct protocol decoding. Nfdump records may be incomplete and and set to 0.

If IP packets are fragmented, they are reassembled before processing. All IP fragments need to be reassembled in order to be passed to the next stage. If not all fragments are correctly assembled withing 15s since the first fragment arrived, all fragments are discarded.

nfcapd(1), nfdump(1), nfexpire(1)

No software without bugs! Please report any bugs back to me.

2021-05-23