nfreplay(1) [debian man page]
nfreplay(1) nfreplay(1) NAME
nfreplay - netflow replay program SYNOPSIS
nfreplay [options] [filter] DESCRIPTION
nfreplay is the netflow replay program of the nfdump tool set. It reads data from files stored by nfcapd and sents the netflow data to a host or a multicat group. The filter syntax is equivalent to nfdump. If a filter is supplied, only the matching flows are sent. See the nfdump(1) man page for a detailed description of the filter syntax. All records are sent as netflow version 5. OPTIONS
-H remotehost Send all flows to this remote host. Accepts a symbolic name or a IPv4/IPv6 IP address. Defaults to IPv4 localhost 127.0.0.1. -j mcastgroup Join this multicast group and send all flows to this group host. Accepts a symbolic name or multicast IPv4/IPv6 IP address. -p port Send all flows to this port on the remote side. Default is 9995. -4 Forces nfreplay to send flows to a IPv4 address only. Can be used together with -i if the remote host has an IPv4 and IPv6 address record. -6 Forces nfreplay to send flows to a IPv6 address only. Can be used together with -i if the remote host has an IPv4 and IPv6 address record. -v num Send flows as netflow version num. 5 and 9 are supported. The default is sending the flows as netflow version 5. In version 5 mode, IPv6 flows, are skipped and 64bit counters are truncated to 32bit. -d usec Delay each record by usec mirco seconds, to avoid overrun on the remote side. Default is 10. -b buffersize Set send buffer size in bytes. Useful for large data to transfer. Default is system dependent. -r inputfile Read input data from inputfile. Default is read from stdin. -t timewin Send only flows, which fall in the time window timewin, where timewin is YYYY/MM/dd.hh:mm:ss[-YYYY/MM/dd.hh:mm:ss]. Any parts of the time spec may be omitted e.g YYYY/MM/dd expands to YYYY/MM/dd.00:00:00-YYYY/MM/dd.23:59:59 and sends all flow from a given day. -c num Limit number of records to send to the first num flows. -V Print nfreplay version and exit. -h Print help text on stdout with all options and exit. RETURN VALUE
Returns 0 No error. 255 Initialization failed. 254 Error in filter syntax. 250 Internal error. NOTES
SEE ALSO
nfcapd(1), nfdump(1), nfprofile(1) BUGS
2009-09-09 nfreplay(1)
Check Out this Related Man Page
sfcapd(1) sfcapd(1) NAME
sfcapd - sflow capture daemon SYNOPSIS
sfcapd [options] DESCRIPTION
sfcapd is the sflow capture daemon of the nfdump tools. It reads sflow data from the network and stores it into nfcapd compatible files. The output file is automatically rotated and renamed every n minutes - typically 5 min - according the timestamp YYYYMMddhhmm of the inter- val e.g. nfcapd.200407110845 contains the data from July 11th 2004 08:45 onward. sfcapd supports sFlow version 4 and 5 datagrams. Sflow is an industry standard developed by InMon Corporation. For more information see http://sflow.org. OPTIONS
-p portnum Specifies the port number to listen. Default port is 6343 -b bindhost Specifies the hostname/IPv4/IPv6 address to bind for listening. Can be an IP address or a hostname, resolving to an IP address attached to an interface. Defaults to any available IPv4 interface, if not specified. -4 Forces sfcapd to listen on IPv4 addresses only. Can be used together with -b if a hostname has an IPv4 and IPv6 address record. Depend- ing on the socket implementation -6 also accepts IPv4 data. -6 Forces sfcapd to listen on IPv6 addresses only. Can be used together with -b if a hostname has an IPv4 and IPv6 address record. -j MulticastGroup Join the specified IPv6 or IPv6 multicast group for listening. -R host[/port} Enable packet repeater. Send all incoming packets to another host and port. host is either a valid IPv4/IPv6 address, or a valid sim- bolic hostname, which resolves to a IPv6 or IPv4 address. port may be ommited and defaults to port 6343. Note: Due to IPv4/IPv6 accepted addresses the port separator is '/'. -I IdentString ( capital letter i ) Specifies an ident string, which describes the source e.g. the name of the router. This string is put into the stat record to identify the source. Default is 'none'. This is for compatibility with nfdump 1.5.x and used to specify a single sflow source. See -n -l base_directory ( letter ell ) Specifies the base directory to store the output files. If a sub hierarchy is specified with -S the final directory is concatenated to base_directory/sub_hierarchy. This is for compatibility with nfdump 1.5.x and used to specify a single sflow source. See -n -n <Ident,IP,base_directory> Configures an sflow source named Ident and identified by source IP address IP. The base directory for the flow files is base_directory. If a sub hierarchy is specified with -S the final directory is concatenated to base_directory/sub_hierarchy. Multiple netflow sources can be specified. All data is sent to the same port specified by -p. Note: You must not mix -n option with -I and -l. Use either syn- tax. -f <pcap_file> Read sflow packets from a give pcap_file instead of the network. This requires sfcapd to be compiled with the pcap option and is intended for debugging only. -S <num> Allows to specify an additional directory sub hierarchy to store the data files. The default is 0, no sub hierarchy, which means the files go directly in the base directory (-l). The base directory (-l) is concatenated with the specified sub hierarchy format to form the final data directory. The following hierarchies are defined: 0 default no hierarchy levels 1 %Y/%m/%d year/month/day 2 %Y/%m/%d/%H year/month/day/hour 3 %Y/%W/%u year/week_of_year/day_of_week 4 %Y/%W/%u/%H year/week_of_year/day_of_week/hour 5 %Y/%W/%u year/week_of_year/day_of_week 6 %Y/%W/%u/%H year/week_of_year/day_of_week/hour 7 %Y/%j year/day-of-year 8 %Y/%j/%H year/day-of-year/hour 9 %Y-%m-%d year-month-day 10 %Y-%m-%d/%H year-month-day/hour -T <extension list> Specifies the list of extensions, to be stored in the flow file. Regardless of the extension list, the following sflow data is stored per record: first, last, fwd status, tcp flags, proto, (src)tos, src port, dst port, src ipaddr, dst ipaddr, in(packets), in(bytes). In addition sfcapd recognises the extensions as described below. Extensions: sflow extensions: 1 input/output interface SNMP numbers. 2 src/dst AS numbers. 3 src/dst mask, (dst)TOS, direction, 4 Next hop IP addr 5 BGP next hop IP addr 6 src/dst vlan id labels 10 in_src/out_dst MAC address By default extension 1 and 2 are selected, which provides compatibility with earlier nfdump version. Extensions can be added/deleted by specifying a ',' separated list of extension ids. Each id may be prepended by an optional sign +/- to add or remove a given id from the extension list. The string 'all' means all extensions. Extensions 7-9 are not available for sfcapd. Examples: -T all Enables all possible extensions. -T +3,+4 Adds extensions 3 and 4 to the defaults 1 and 2. -T all,-5,-6 Set all extensions but 5 and 6 -T -1,4 Removes default extension 1 and adds extension 4 Note: Extensions are shared with the netflow collector nfcapd. Sflow as well as netflow data is stored in the same type of extensions. -t interval Specifies the time interval in seconds to rotate files. The default value is 300s ( 5min ). -w Align file rotation with next n minute ( specified by -t ) interval. Example: If interval is 5 min, sync at 0,5,10... wall clock min- utes Default: no alignment. -x cmd Run command cmd at the end of every interval, when a new file becomes available. The following command expansion is available: %f Replaced by the file name e.g nfcapd.200407110845 inluding any sub hierarchy. ( 2004/07/11/nfcapd.200407110845 ) %d Replaced by the directory where the file is located. %t Replaced by the time ISO format e.g. 200407110845. %u Replaced by the UNIX time format. %i Replaced ident string given by -I -e Auto expire files at every cycle. max lifetime and max filesize are defined using nfexpire(1) -P pidfile Specify name of pidfile. Default is no pidfile. -D Daemon mode: fork to background and detach from terminal. Nfcapd terminates on signal TERM, INT and HUP. -u userid Change to the user userid as soon as possible. Only root is allowed to use this option. -g groupid Change to the group groupid as soon as possible. Only root is allowed use this option. -B bufflen Specifies the socket input buffer length in bytes. For high volume traffic ( near GB traffic ) it is recommended to set this value as high as possible ( typically > 100k ), otherwise you risk to lose packets. The default is OS ( and kernel ) dependent. -E Print data records in nfdump raw format to stdout. This option is for debugging purpose only, to see how incoming sflow data is pro- cessed and stored. -z Compress flows. Use fast LZO1X-1 compression in output file. -V Print sfcapd version and exit. -h Print help text to stdout with all options and exit. RETURN VALUE
Returns 0 on success, or 255 if initialization failed. LOGGING
sfcapd logs to syslog with SYSLOG_FACILITY LOG_DAEMON For normal operation level 'warning' should be fine. More information is reported at level 'info' and 'debug'. A small statistic about the collected flows, as well as errors are reported at the end of every interval to syslog with level 'info'. EXAMPLES
Compatible with old sfcapd 1.5.x: sfcapd -w -D -l /data/spool/router1 -p 6343 -B 128000 -I router1 -x '/path/some_app -r %d/%f' -P /var/run/sfcapd/sfcapd.router1 Selectively enabled sender: sfcapd -Tall -w -D -n router1,192.168.1.10,/data/spool/router1 -p 6343 -B 128000 -P /var/run/sfcapd/sfcapd.router1 NOTES
sfcapd automatically scales the packets and bytes according the sampling rate. Even with sflow version 4 and 5 support, not all available sflow elements are stored in the data files. As of this version, sfcpad supports the the same shared fields as extensions, as it's netflow companion nfcapd for netflow version v9. See nfcapd(1). More fields will be sup- ported in future. The format of the data files is version independent and compatible nfcapd collected data. Socket buffer: Setting the socket buffer size is system dependent. When starting up, sfcapd returns the number of bytes the buffer was actually set. This is done by reading back the buffer size and may differ from what you requested. SEE ALSO
nfcapd(1), nfdump(1), nfprofile(1), nfreplay(1) 2009-09-09 sfcapd(1)