<HTML ><HEAD ><TITLE >flow-capture</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.73 "></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><H1 ><A NAME="AEN1" ><SPAN CLASS="APPLICATION" >flow-capture</SPAN ></A ></H1 ><DIV CLASS="REFNAMEDIV" ><A NAME="AEN6" ></A ><H2 >Name</H2 ><SPAN CLASS="APPLICATION" >flow-capture</SPAN > -- Manage storage of flow file archives by expiring old data.</DIV ><DIV CLASS="REFSYNOPSISDIV" ><A NAME="AEN10" ></A ><H2 >Synopsis</H2 ><P ><B CLASS="COMMAND" >flow-capture</B > [-h] [-A<TT CLASS="REPLACEABLE" ><I > AS0_substitution</I ></TT >] [-b<TT CLASS="REPLACEABLE" ><I > big|little</I ></TT >] [-C<TT CLASS="REPLACEABLE" ><I > comment</I ></TT >] [-c<TT CLASS="REPLACEABLE" ><I > flow_clients</I ></TT >] [-d<TT CLASS="REPLACEABLE" ><I > debug_level</I ></TT >] [-D<TT CLASS="REPLACEABLE" ><I > daemonize</I ></TT >] [-e<TT CLASS="REPLACEABLE" ><I > expire_count</I ></TT >] [-f<TT CLASS="REPLACEABLE" ><I > filter_fname</I ></TT >] [-F<TT CLASS="REPLACEABLE" ><I > filter_definition</I ></TT >] [-E<TT CLASS="REPLACEABLE" ><I > expire_size</I ></TT >] [-m<TT CLASS="REPLACEABLE" ><I > privacy_mask</I ></TT >] [-n<TT CLASS="REPLACEABLE" ><I > rotations</I ></TT >] [-N<TT CLASS="REPLACEABLE" ><I > nesting_level</I ></TT >] [-p<TT CLASS="REPLACEABLE" ><I > pidfile</I ></TT >] [-R<TT CLASS="REPLACEABLE" ><I > rotate_program</I ></TT >] [-S<TT CLASS="REPLACEABLE" ><I > stat_interval</I ></TT >] [-t<TT CLASS="REPLACEABLE" ><I > tag_fname</I ></TT >] [-T<TT CLASS="REPLACEABLE" ><I > active_def</I ></TT >|<TT CLASS="REPLACEABLE" ><I >active_def,active_def</I ></TT >...] [-V<TT CLASS="REPLACEABLE" ><I > pdu_version</I ></TT >] [-z<TT CLASS="REPLACEABLE" ><I > z_level</I ></TT >] {-w<TT CLASS="REPLACEABLE" ><I > workdir</I ></TT >} {<TT CLASS="REPLACEABLE" ><I >localip/remoteip/port</I ></TT >}</P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN59" ></A ><H2 >DESCRIPTION</H2 ><P >The <B CLASS="COMMAND" >flow-capture</B > utility will receive and store NetFlow exports to disk. The flow files are rotated <TT CLASS="REPLACEABLE" ><I >rotations</I ></TT >times per day and expiration of old flow files can be configured by number of files or total space utilization. Files are stored in <TT CLASS="FILENAME" >workdir</TT > and can optionally be stored in additional levels of directories. Active files created by <B CLASS="COMMAND" >flow-capture</B > begin with 'tmp'. Files that are complete begin with 'ft'.</P ><P >When the <TT CLASS="REPLACEABLE" ><I >remoteip</I ></TT > is configured only flows from that exporter will be processed, this is the most secure and recommended configuration. When the <TT CLASS="REPLACEABLE" ><I >localip</I ></TT > is configured <B CLASS="COMMAND" >flow-capture</B > will only process flows sent to the <TT CLASS="REPLACEABLE" ><I > localip</I ></TT > IP address. If <TT CLASS="REPLACEABLE" ><I >remoteip</I ></TT > is 0 (not configured) flows from any source IP address are accepted. Multiple non aggregated PDU versions may be accepted at once to support Cisco's Catalyst 6500 NetFlow implementation which exports from both the supervisor and MSFC with the same IP address and same port but different export versions. In this case the exports will be stored in the format specified by <TT CLASS="REPLACEABLE" ><I >pdu_version</I ></TT > or whichever export type is received first.</P ><P >NetFlow exports are UDP and do not employ congestion control or a retransmission mechanism. If the server flow-capture is configured on is too busy, or the network is congested or lossy NetFlow exports will be lost. An estimate of lost flows is recorded in the flow files, and logged via syslog. Most servers will provide a count of dropped packets due to full socket buffers via the <B CLASS="COMMAND" >netstat</B > utility. For example <B CLASS="COMMAND" >netstat -s | grep full</B > will provide a count of UDP packets dropped due to full socket buffers. If this is a persistent occurrence either <B CLASS="COMMAND" >flow-capture</B > will need a larger server or the compression level should be decreased with -z.</P ><P >A SIGHUP signal will cause <B CLASS="COMMAND" >flow-capture</B > to close the current file and create a new one.</P ><P >A SIGQUIT signal will cause <B CLASS="COMMAND" >flow-capture</B > to close the current file and exit.</P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN81" ></A ><H2 >OPTIONS</H2 ><P ></P ><DIV CLASS="VARIABLELIST" ><DL ><DT >-A<TT CLASS="REPLACEABLE" ><I > AS0_substitution</I ></TT ></DT ><DD ><P >Cisco's NetFlow exports represent the local autonomous system as 0 instead of the real value. This option can be used to replace the 0 in the export with the a configured value. Unfortunately under certain configurations AS 0 can also represent a cache miss or non forwarded traffic so use with caution.</P ></DD ><DT >-b<TT CLASS="REPLACEABLE" ><I > big</I ></TT >|<TT CLASS="REPLACEABLE" ><I >little</I ></TT ></DT ><DD ><P >Byte order of output.</P ></DD ><DT >-c<TT CLASS="REPLACEABLE" ><I > flow_clients</I ></TT ></DT ><DD ><P >Enable <TT CLASS="REPLACEABLE" ><I >flow_clients</I ></TT > TCP clients. When libwrap is available the client must be in a permit list for the service flow-capture-client.</P ></DD ><DT >-C<TT CLASS="REPLACEABLE" ><I > Comment</I ></TT ></DT ><DD ><P >Add a comment.</P ></DD ><DT >-d<TT CLASS="REPLACEABLE" ><I > debug_level</I ></TT ></DT ><DD ><P >Enable debugging.</P ></DD ><DT >-e<TT CLASS="REPLACEABLE" ><I > expire_count</I ></TT ></DT ><DD ><P >Retain the maximum number of files so that the total file count is less than <TT CLASS="REPLACEABLE" ><I >expire_count</I ></TT >. Defaults to 0 (do not expire).</P ></DD ><DT >-E<TT CLASS="REPLACEABLE" ><I > expire_size</I ></TT ></DT ><DD ><P >Retain the maximum number of files so that the total storage is less than <TT CLASS="REPLACEABLE" ><I >expire_size</I ></TT >. The letters b,K,M,G can be used as multipliers, ie 16 Megabytes is 16M. Default to 0 (do not expire).</P ></DD ><DT >-f<TT CLASS="REPLACEABLE" ><I > filter_fname</I ></TT ></DT ><DD ><P >Filter list filename. Defaults to <TT CLASS="FILENAME" >/var/lib/cfg/filter</TT >.</P ></DD ><DT >-F<TT CLASS="REPLACEABLE" ><I > filter_definition</I ></TT ></DT ><DD ><P >Select the active definition. Defaults to default.</P ></DD ><DT >-h</DT ><DD ><P >Display help.</P ></DD ><DT >-m<TT CLASS="REPLACEABLE" ><I > privacy_mask</I ></TT ></DT ><DD ><P >Apply <TT CLASS="REPLACEABLE" ><I >privacy_mask</I ></TT > to the source and destination IP address of flows. For example a privacy_mask of 255.255.255.0 would convert flows with source/destination IP addresses 10.1.1.1 and 10.2.2.2 to 10.1.1.0 and 10.2.2.0 respectively.</P ></DD ><DT >-n<TT CLASS="REPLACEABLE" ><I > rotations</I ></TT ></DT ><DD ><P >Configure the number of times flow-capture will create a new file per day. The default is 95, or every 15 minutes.</P ></DD ><DT >-N<TT CLASS="REPLACEABLE" ><I > nesting_level</I ></TT ></DT ><DD ><P >Configure the nesting level for storing flow files. The default is 0. -3 YYYY/YYYY-MM/YYYY-MM-DD/flow-file -2 YYYY-MM/YYYY-MM-DD/flow-file -1 YYYY-MM-DD/flow-file 0 flow-file 1 YYYY/flow-file 2 YYYY/YYYY-MM/flow-file 3 YYYY/YYYY-MM/YYYY-MM-DD/flow-file</P ></DD ><DT >-p<TT CLASS="REPLACEABLE" ><I > pidfile</I ></TT ></DT ><DD ><P >Configure the process ID file. Use - to disable pid file creation.</P ></DD ><DT >-R<TT CLASS="REPLACEABLE" ><I > rotate_program</I ></TT ></DT ><DD ><P >Execute <TT CLASS="REPLACEABLE" ><I >rotate_program</I ></TT > with the first argument as the flow file name after rotating it.</P ></DD ><DT >-S<TT CLASS="REPLACEABLE" ><I > stat_interval</I ></TT ></DT ><DD ><P >When configured <B CLASS="COMMAND" >flow-capture</B > will log a timestamped message every <TT CLASS="REPLACEABLE" ><I >stat_interval</I ></TT > minutes indicating counters such as the number of flows received, packets processed, and lost flows.</P ></DD ><DT >-t<TT CLASS="REPLACEABLE" ><I > tag_fname</I ></TT ></DT ><DD ><P >Load tags from <TT CLASS="FILENAME" >tag_name</TT ></P ></DD ><DT >-T<TT CLASS="REPLACEABLE" ><I > active_def</I ></TT >|<TT CLASS="REPLACEABLE" ><I >active_def,active_def...</I ></TT ></DT ><DD ><P >Use <TT CLASS="REPLACEABLE" ><I >active_def</I ></TT > as the active tag definition(s).</P ></DD ><DT >-V<TT CLASS="REPLACEABLE" ><I > pdu_version</I ></TT ></DT ><DD ><P >Use <TT CLASS="REPLACEABLE" ><I >pdu_version</I ></TT > format output. <P CLASS="LITERALLAYOUT" > 1 NetFlow version 1 (No sequence numbers, AS, or mask)<br> 5 NetFlow version 5<br> 6 NetFlow version 6 (5+ Encapsulation size)<br> 7 NetFlow version 7 (Catalyst switches)<br> 8.1 NetFlow AS Aggregation<br> 8.2 NetFlow Proto Port Aggregation<br> 8.3 NetFlow Source Prefix Aggregation<br> 8.4 NetFlow Destination Prefix Aggregation<br> 8.5 NetFlow Prefix Aggregation<br> 8.6 NetFlow Destination (Catalyst switches)<br> 8.7 NetFlow Source Destination (Catalyst switches)<br> 8.8 NetFlow Full Flow (Catalyst switches)<br> 8.9 NetFlow ToS AS Aggregation<br> 8.10 NetFlow ToS Proto Port Aggregation<br> 8.11 NetFlow ToS Source Prefix Aggregation<br> 8.12 NetFlow ToS Destination Prefix Aggregation<br> 8.13 NetFlow ToS Prefix Aggregation<br> 8.14 NetFlow ToS Prefix Port Aggregation<br> 1005 Flow-Tools tagged version 5</P ></P ></DD ><DT >-w<TT CLASS="REPLACEABLE" ><I > workdir</I ></TT ></DT ><DD ><P >Work in <TT CLASS="FILENAME" >workdir</TT >.</P ></DD ><DT >-z<TT CLASS="REPLACEABLE" ><I > z_level</I ></TT ></DT ><DD ><P >Configure compression level to <TT CLASS="REPLACEABLE" ><I > z_level</I ></TT >. 0 is disabled (no compression), 9 is highest compression.</P ></DD ></DL ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN204" ></A ><H2 >EXAMPLES</H2 ><DIV CLASS="INFORMALEXAMPLE" ><A NAME="AEN206" ></A ><P ></P ><P >Receive flows from the exporter at 10.0.0.1 port 9800. Maintain 5 Gigabytes of flow files in /flows/krc4. Mask the source and destination IP addresses contained in the flow exports with 255.255.248.0.</P ><P > <B CLASS="COMMAND" >flow-capture -w /flows/krc4 -m 255.255.248.0 -E5G 0/10.0.0.1/9800</B ></P ><P ></P ></DIV ><DIV CLASS="INFORMALEXAMPLE" ><A NAME="AEN210" ></A ><P ></P ><P >Receive flows from any exporter on port 9800. Do not perform any flow file space management. Store the exports in /flows/krc4. Emit a stat log message every 5 minutes.</P ><P > <B CLASS="COMMAND" >flow-capture -w /flows/krc4 0/0/9800 -S5</B ></P ><P ></P ></DIV ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN214" ></A ><H2 >BUGS</H2 ><P >Empty directories are not removed.</P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN217" ></A ><H2 >AUTHOR</H2 ><P >Mark Fullmer <TT CLASS="EMAIL" ><<A HREF="mailto:maf@splintered.net" >maf@splintered.net</A >></TT ></P ></DIV ><DIV CLASS="REFSECT1" ><A NAME="AEN224" ></A ><H2 >SEE ALSO</H2 ><P ><SPAN CLASS="APPLICATION" >flow-tools</SPAN >(1)</P ></DIV ></BODY ></HTML >