📄 flow-capture.html.in

📁 netflow,抓包
💻 IN
字号:
<HTML><HEAD><TITLE>flow-capture</TITLE><METANAME="GENERATOR"CONTENT="Modular DocBook HTML Stylesheet Version 1.73"></HEAD><BODYCLASS="REFENTRY"BGCOLOR="#FFFFFF"TEXT="#000000"LINK="#0000FF"VLINK="#840084"ALINK="#0000FF"><H1><ANAME="AEN1"><SPANCLASS="APPLICATION">flow-capture</SPAN></A></H1><DIVCLASS="REFNAMEDIV"><ANAME="AEN6"></A><H2>Name</H2><SPANCLASS="APPLICATION">flow-capture</SPAN>&nbsp;--&nbsp;Manage storage of flow file archives by expiring old data.</DIV><DIVCLASS="REFSYNOPSISDIV"><ANAME="AEN10"></A><H2>Synopsis</H2><P><BCLASS="COMMAND">flow-capture</B>  [-h] [-A<TTCLASS="REPLACEABLE"><I> AS0_substitution</I></TT>] [-b<TTCLASS="REPLACEABLE"><I> big|little</I></TT>] [-C<TTCLASS="REPLACEABLE"><I> comment</I></TT>] [-c<TTCLASS="REPLACEABLE"><I> flow_clients</I></TT>] [-d<TTCLASS="REPLACEABLE"><I> debug_level</I></TT>] [-D<TTCLASS="REPLACEABLE"><I> daemonize</I></TT>] [-e<TTCLASS="REPLACEABLE"><I> expire_count</I></TT>] [-f<TTCLASS="REPLACEABLE"><I> filter_fname</I></TT>] [-F<TTCLASS="REPLACEABLE"><I> filter_definition</I></TT>] [-E<TTCLASS="REPLACEABLE"><I> expire_size</I></TT>] [-m<TTCLASS="REPLACEABLE"><I> privacy_mask</I></TT>] [-n<TTCLASS="REPLACEABLE"><I> rotations</I></TT>] [-N<TTCLASS="REPLACEABLE"><I> nesting_level</I></TT>] [-p<TTCLASS="REPLACEABLE"><I> pidfile</I></TT>] [-R<TTCLASS="REPLACEABLE"><I> rotate_program</I></TT>] [-S<TTCLASS="REPLACEABLE"><I> stat_interval</I></TT>] [-t<TTCLASS="REPLACEABLE"><I> tag_fname</I></TT>] [-T<TTCLASS="REPLACEABLE"><I> active_def</I></TT>|<TTCLASS="REPLACEABLE"><I>active_def,active_def</I></TT>...] [-V<TTCLASS="REPLACEABLE"><I> pdu_version</I></TT>] [-z<TTCLASS="REPLACEABLE"><I> z_level</I></TT>] {-w<TTCLASS="REPLACEABLE"><I> workdir</I></TT>} {<TTCLASS="REPLACEABLE"><I>localip/remoteip/port</I></TT>}</P></DIV><DIVCLASS="REFSECT1"><ANAME="AEN59"></A><H2>DESCRIPTION</H2><P>The <BCLASS="COMMAND">flow-capture</B> utility will receive and storeNetFlow exports to disk.  The flow files are rotated <TTCLASS="REPLACEABLE"><I>rotations</I></TT>times per dayand expiration of old flow files can be configured by number of filesor total space utilization.  Files are stored in <TTCLASS="FILENAME">workdir</TT>and can optionally be stored in additional levels of directories.  Activefiles created by <BCLASS="COMMAND">flow-capture</B> beginwith 'tmp'.  Files that are complete begin with 'ft'.</P><P>When the <TTCLASS="REPLACEABLE"><I>remoteip</I></TT> is configured only flowsfrom that exporter will be processed, this is the most secure and recommendedconfiguration.  When the <TTCLASS="REPLACEABLE"><I>localip</I></TT> is configured<BCLASS="COMMAND">flow-capture</B> will only process flowssent to the <TTCLASS="REPLACEABLE"><I> localip</I></TT> IP address.  If<TTCLASS="REPLACEABLE"><I>remoteip</I></TT> is 0 (not configured) flows from anysource IP address are accepted.  Multiple non aggregated PDU versions maybe accepted at once to support Cisco's Catalyst 6500 NetFlowimplementation which exports from both the supervisor and MSFC with thesame IP address and same port but different export versions.  In this casethe exports will be stored in the format specified by <TTCLASS="REPLACEABLE"><I>pdu_version</I></TT> or whichever export type is received first.</P><P>NetFlow exports are UDP and do not employ congestion control or aretransmission mechanism.  If the server flow-capture is configuredon is too busy, or the network is congested or lossy NetFlow exports willbe lost.  An estimate of lost flows is recorded in the flow files, andlogged via syslog.  Most servers will provide a count of dropped packetsdue to full socket buffers via the <BCLASS="COMMAND">netstat</B> utility.For example <BCLASS="COMMAND">netstat -s | grep full</B> will provide a countof UDP packets dropped due to full socket buffers.  If this is a persistentoccurrence either <BCLASS="COMMAND">flow-capture</B> will need a larger serveror the compression level should be decreased with -z.</P><P>A SIGHUP signal will cause <BCLASS="COMMAND">flow-capture</B> to closethe current file and create a new one.</P><P>A SIGQUIT signal will cause <BCLASS="COMMAND">flow-capture</B> to closethe current file and exit.</P></DIV><DIVCLASS="REFSECT1"><ANAME="AEN81"></A><H2>OPTIONS</H2><P></P><DIVCLASS="VARIABLELIST"><DL><DT>-A<TTCLASS="REPLACEABLE"><I> AS0_substitution</I></TT></DT><DD><P>Cisco's NetFlow exports represent the local autonomous system as 0 instead ofthe real value.  This option can be used to replace the 0 in the export withthe a configured value.  Unfortunately under certain configurations AS 0 canalso represent a cache miss or non forwarded traffic so use with caution.</P></DD><DT>-b<TTCLASS="REPLACEABLE"><I> big</I></TT>|<TTCLASS="REPLACEABLE"><I>little</I></TT></DT><DD><P>Byte order of output.</P></DD><DT>-c<TTCLASS="REPLACEABLE"><I> flow_clients</I></TT></DT><DD><P>Enable <TTCLASS="REPLACEABLE"><I>flow_clients</I></TT> TCP clients.  When libwrapis available the client must be in a permit list for the serviceflow-capture-client.</P></DD><DT>-C<TTCLASS="REPLACEABLE"><I> Comment</I></TT></DT><DD><P>Add a comment.</P></DD><DT>-d<TTCLASS="REPLACEABLE"><I> debug_level</I></TT></DT><DD><P>Enable debugging.</P></DD><DT>-e<TTCLASS="REPLACEABLE"><I> expire_count</I></TT></DT><DD><P>Retain the maximum number of files so that the total file count isless than <TTCLASS="REPLACEABLE"><I>expire_count</I></TT>.  Defaults to0 (do not expire).</P></DD><DT>-E<TTCLASS="REPLACEABLE"><I> expire_size</I></TT></DT><DD><P>Retain the maximum number of files so that the total storage is lessthan <TTCLASS="REPLACEABLE"><I>expire_size</I></TT>.  The letters b,K,M,G canbe used as multipliers, ie 16 Megabytes is 16M.  Default to 0 (do not expire).</P></DD><DT>-f<TTCLASS="REPLACEABLE"><I> filter_fname</I></TT></DT><DD><P>Filter list filename.  Defaults to <TTCLASS="FILENAME">@localstatedir@/cfg/filter</TT>.</P></DD><DT>-F<TTCLASS="REPLACEABLE"><I> filter_definition</I></TT></DT><DD><P>Select the active definition.  Defaults to default.</P></DD><DT>-h</DT><DD><P>Display help.</P></DD><DT>-m<TTCLASS="REPLACEABLE"><I> privacy_mask</I></TT></DT><DD><P>Apply <TTCLASS="REPLACEABLE"><I>privacy_mask</I></TT> to the source and destination IPaddress of flows.  For example a privacy_mask of 255.255.255.0 would convertflows with source/destination IP addresses 10.1.1.1 and 10.2.2.2 to 10.1.1.0and 10.2.2.0 respectively.</P></DD><DT>-n<TTCLASS="REPLACEABLE"><I> rotations</I></TT></DT><DD><P>Configure the number of times flow-capture will create a new file per day.The default is 95, or every 15 minutes.</P></DD><DT>-N<TTCLASS="REPLACEABLE"><I> nesting_level</I></TT></DT><DD><P>Configure the nesting level for storing flow files.  The default is 0.   -3    YYYY/YYYY-MM/YYYY-MM-DD/flow-file   -2    YYYY-MM/YYYY-MM-DD/flow-file   -1    YYYY-MM-DD/flow-file    0    flow-file    1    YYYY/flow-file    2    YYYY/YYYY-MM/flow-file    3    YYYY/YYYY-MM/YYYY-MM-DD/flow-file</P></DD><DT>-p<TTCLASS="REPLACEABLE"><I> pidfile</I></TT></DT><DD><P>Configure the process ID file.  Use - to disable pid file creation.</P></DD><DT>-R<TTCLASS="REPLACEABLE"><I> rotate_program</I></TT></DT><DD><P>Execute <TTCLASS="REPLACEABLE"><I>rotate_program</I></TT> with the first argumentas the flow file name after rotating it.</P></DD><DT>-S<TTCLASS="REPLACEABLE"><I> stat_interval</I></TT></DT><DD><P>When configured <BCLASS="COMMAND">flow-capture</B> will log a timestampedmessage every <TTCLASS="REPLACEABLE"><I>stat_interval</I></TT> minutesindicating counters such as the number of flows received, packets processed,and lost flows.</P></DD><DT>-t<TTCLASS="REPLACEABLE"><I> tag_fname</I></TT></DT><DD><P>Load tags from <TTCLASS="FILENAME">tag_name</TT></P></DD><DT>-T<TTCLASS="REPLACEABLE"><I> active_def</I></TT>|<TTCLASS="REPLACEABLE"><I>active_def,active_def...</I></TT></DT><DD><P>Use <TTCLASS="REPLACEABLE"><I>active_def</I></TT> as the active tag definition(s).</P></DD><DT>-V<TTCLASS="REPLACEABLE"><I> pdu_version</I></TT></DT><DD><P>Use <TTCLASS="REPLACEABLE"><I>pdu_version</I></TT> format output.<PCLASS="LITERALLAYOUT">&nbsp;&nbsp;&nbsp;&nbsp;1&nbsp;&nbsp;&nbsp;&nbsp;NetFlow&nbsp;version&nbsp;1&nbsp;(No&nbsp;sequence&nbsp;numbers,&nbsp;AS,&nbsp;or&nbsp;mask)<br>&nbsp;&nbsp;&nbsp;&nbsp;5&nbsp;&nbsp;&nbsp;&nbsp;NetFlow&nbsp;version&nbsp;5<br>&nbsp;&nbsp;&nbsp;&nbsp;6&nbsp;&nbsp;&nbsp;&nbsp;NetFlow&nbsp;version&nbsp;6&nbsp;(5+&nbsp;Encapsulation&nbsp;size)<br>&nbsp;&nbsp;&nbsp;&nbsp;7&nbsp;&nbsp;&nbsp;&nbsp;NetFlow&nbsp;version&nbsp;7&nbsp;(Catalyst&nbsp;switches)<br>&nbsp;&nbsp;&nbsp;&nbsp;8.1&nbsp;&nbsp;NetFlow&nbsp;AS&nbsp;Aggregation<br>&nbsp;&nbsp;&nbsp;&nbsp;8.2&nbsp;&nbsp;NetFlow&nbsp;Proto&nbsp;Port&nbsp;Aggregation<br>&nbsp;&nbsp;&nbsp;&nbsp;8.3&nbsp;&nbsp;NetFlow&nbsp;Source&nbsp;Prefix&nbsp;Aggregation<br>&nbsp;&nbsp;&nbsp;&nbsp;8.4&nbsp;&nbsp;NetFlow&nbsp;Destination&nbsp;Prefix&nbsp;Aggregation<br>&nbsp;&nbsp;&nbsp;&nbsp;8.5&nbsp;&nbsp;NetFlow&nbsp;Prefix&nbsp;Aggregation<br>&nbsp;&nbsp;&nbsp;&nbsp;8.6&nbsp;&nbsp;NetFlow&nbsp;Destination&nbsp;(Catalyst&nbsp;switches)<br>&nbsp;&nbsp;&nbsp;&nbsp;8.7&nbsp;&nbsp;NetFlow&nbsp;Source&nbsp;Destination&nbsp;(Catalyst&nbsp;switches)<br>&nbsp;&nbsp;&nbsp;&nbsp;8.8&nbsp;&nbsp;NetFlow&nbsp;Full&nbsp;Flow&nbsp;(Catalyst&nbsp;switches)<br>&nbsp;&nbsp;&nbsp;&nbsp;8.9&nbsp;&nbsp;NetFlow&nbsp;ToS&nbsp;AS&nbsp;Aggregation<br>&nbsp;&nbsp;&nbsp;&nbsp;8.10&nbsp;NetFlow&nbsp;ToS&nbsp;Proto&nbsp;Port&nbsp;Aggregation<br>&nbsp;&nbsp;&nbsp;&nbsp;8.11&nbsp;NetFlow&nbsp;ToS&nbsp;Source&nbsp;Prefix&nbsp;Aggregation<br>&nbsp;&nbsp;&nbsp;&nbsp;8.12&nbsp;NetFlow&nbsp;ToS&nbsp;Destination&nbsp;Prefix&nbsp;Aggregation<br>&nbsp;&nbsp;&nbsp;&nbsp;8.13&nbsp;NetFlow&nbsp;ToS&nbsp;Prefix&nbsp;Aggregation<br>&nbsp;&nbsp;&nbsp;&nbsp;8.14&nbsp;NetFlow&nbsp;ToS&nbsp;Prefix&nbsp;Port&nbsp;Aggregation<br>&nbsp;&nbsp;&nbsp;&nbsp;1005&nbsp;Flow-Tools&nbsp;tagged&nbsp;version&nbsp;5</P></P></DD><DT>-w<TTCLASS="REPLACEABLE"><I> workdir</I></TT></DT><DD><P>Work in <TTCLASS="FILENAME">workdir</TT>.</P></DD><DT>-z<TTCLASS="REPLACEABLE"><I> z_level</I></TT></DT><DD><P>Configure compression level to <TTCLASS="REPLACEABLE"><I> z_level</I></TT>.  0 isdisabled (no compression), 9 is highest compression.</P></DD></DL></DIV></DIV><DIVCLASS="REFSECT1"><ANAME="AEN204"></A><H2>EXAMPLES</H2><DIVCLASS="INFORMALEXAMPLE"><ANAME="AEN206"></A><P></P><P>Receive flows from the exporter at 10.0.0.1 port 9800.  Maintain 5 Gigabytesof flow files in /flows/krc4.  Mask the source and destination IP addressescontained in the flow exports with 255.255.248.0.</P><P>  <BCLASS="COMMAND">flow-capture -w /flows/krc4 -m 255.255.248.0 -E5G 0/10.0.0.1/9800</B></P><P></P></DIV><DIVCLASS="INFORMALEXAMPLE"><ANAME="AEN210"></A><P></P><P>Receive flows from any exporter on port 9800.  Do not perform any flowfile space management.  Store the exports in /flows/krc4.  Emit a statlog message every 5 minutes.</P><P>  <BCLASS="COMMAND">flow-capture -w /flows/krc4 0/0/9800 -S5</B></P><P></P></DIV></DIV><DIVCLASS="REFSECT1"><ANAME="AEN214"></A><H2>BUGS</H2><P>Empty directories are not removed.</P></DIV><DIVCLASS="REFSECT1"><ANAME="AEN217"></A><H2>AUTHOR</H2><P>Mark Fullmer<TTCLASS="EMAIL">&#60;<AHREF="mailto:maf@splintered.net">maf@splintered.net</A>&#62;</TT></P></DIV><DIVCLASS="REFSECT1"><ANAME="AEN224"></A><H2>SEE ALSO</H2><P><SPANCLASS="APPLICATION">flow-tools</SPAN>(1)</P></DIV></BODY></HTML>
💿 文件大小 946 K
👤 上传用户 jackjinke
📂 所属分类网络
🏷️ 相关标签

#netflow
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -