— Manage storage of flow file archives by expiring
[-hu] [-b big|little
] [-C comment
] [-d debug_level
] [-D daemonize
] [-f filter_fname
] [-F filter_definition
] [-n rotations
] [-N nesting_level
] [-R rotate_program
] [-S stat_interval
] [-T active_def
] [-z z_level
] -w workdir
] [-X xlate_definition
utility will receive and store NetFlow exports to disk.
The flow files are rotated rotations
times per day and expiration of old
flow files can be configured by number of files or total space utilization.
Files are stored in workdir
and can optionally be stored in additional
levels of directories. Active files created by flow-capture
'tmp'. Files that are complete begin with 'ft'.
When the remoteip
is configured only flows from that exporter will be
processed, this is the most secure and recommended configuration. When the
is configured flow-capture
will only process flows sent
to the localip
IP address. If remoteip
is 0 (not configured)
flows from any source IP address are accepted. Multiple non aggregated PDU
versions may be accepted at once to support Cisco's Catalyst 6500 NetFlow
implementation which exports from both the supervisor and MSFC with the same
IP address and same port but different export versions. In this case the
exports will be stored in the format specified by pdu_version
whichever export type is received first.
NetFlow exports are UDP and do not employ congestion control or a retransmission
mechanism. If the server flow-capture is configured on is too busy, or the
network is congested or lossy NetFlow exports will be lost. An estimate of
lost flows is recorded in the flow files, and logged via syslog. Most servers
will provide a count of dropped packets due to full socket buffers via the
utility. For example netstat -s | grep full
a count of UDP packets dropped due to full socket buffers. If this is a
persistent occurrence either flow-capture
will need a larger server or
the compression level should be decreased with -z.
A SIGHUP signal will cause flow-capture
to close the current file and
create a new one.
A SIGQUIT or SIGTERM signal will cause flow-capture
to close the current
file and exit.
- -b big|little
- Byte order of output.
- -c flow_clients
- Enable flow_clients TCP clients. When libwrap is
available the client must be in a permit list for the service
- -C Comment
- Add a comment.
- -d debug_level
- Enable debugging.
- -e expire_count
- Retain the maximum number of files so that the total file
count is less than expire_count. Defaults to 0 (do not
- -E expire_size
- Retain the maximum number of files so that the total
storage is less than expire_size. The letters b,K,M,G can be used
as multipliers, ie 16 Megabytes is 16M. Default to 0 (do not expire).
- -f filter_fname
- Filter list filename. Defaults to
- -F filter_definition
- Select the active definition. Defaults to default.
- Display help.
- -n rotations
- Configure the number of times flow-capture will create a
new file per day. The default is 95, or every 15 minutes.
- -N nesting_level
- Configure the nesting level for storing flow files. The
default is 0.
- -p pidfile
- Configure the process ID file. Use - to disable pid file
- -R rotate_program
- Execute rotate_program with the first argument as
the flow file name after rotating it.
- -S stat_interval
- When configured flow-capture will log a timestamped
message every stat_interval minutes indicating counters such as the
number of flows received, packets processed, and lost flows.
- -t tag_fname
- Load tags from tag_name
- -T active_def|active_def,active_def...
- Use active_def as the active tag definition(s).
- Preserve inherited umask. By default the umask will be set
- -V pdu_version
- Use pdu_version format output.
1 NetFlow version 1 (No sequence numbers, AS, or mask)
5 NetFlow version 5
6 NetFlow version 6 (5+ Encapsulation size)
7 NetFlow version 7 (Catalyst switches)
8.1 NetFlow AS Aggregation
8.2 NetFlow Proto Port Aggregation
8.3 NetFlow Source Prefix Aggregation
8.4 NetFlow Destination Prefix Aggregation
8.5 NetFlow Prefix Aggregation
8.6 NetFlow Destination (Catalyst switches)
8.7 NetFlow Source Destination (Catalyst switches)
8.8 NetFlow Full Flow (Catalyst switches)
8.9 NetFlow ToS AS Aggregation
8.10 NetFlow ToS Proto Port Aggregation
8.11 NetFlow ToS Source Prefix Aggregation
8.12 NetFlow ToS Destination Prefix Aggregation
8.13 NetFlow ToS Prefix Aggregation
8.14 NetFlow ToS Prefix Port Aggregation
1005 Flow-Tools tagged version 5
- -w workdir
- Work in workdir.
- -x xlate_fname
- Translation config file name. Defaults to
- -X xlate_definition
- Translation definition. Defaults to default.
- -z z_level
- Configure compression level to z_level. 0 is
disabled (no compression), 9 is highest compression.
Receive flows from the exporter at 10.0.0.1 port 9800. Maintain 5 Gigabytes of
flow files in /flows/krc4. Mask the source and destination IP addresses
contained in the flow exports with 255.255.248.0.
flow-capture -w /flows/krc4 -m 255.255.248.0 -E5G 0/10.0.0.1/9800
Receive flows from any exporter on port 9800. Do not perform any flow file space
management. Store the exports in /flows/krc4. Emit a stat log message every 5
flow-capture -w /flows/krc4 0/0/9800 -S5
Empty directories are not removed.
Tag - /etc/flow-tools/cfg/tag.cfg
Filter - /etc/flow-tools/cfg/filter.cfg
Xlate - /etc/flow-tools/cfg/xlate.cfg
Mark Fullmer email@example.com