SOFTFLOWD(8) BSD System Manager's Manual SOFTFLOWD(8)NAMEsoftflowd — Traffic flow monitoring
SYNOPSISsoftflowd [-6dDh] [-i interface] [-r pcap_file] [-t timeout_name=seconds]
[-m max_flows] [-n host:port] [-p pidfile] [-c ctl_sock]
[-L hoplimit] [-T track_level] [bpf_program]
DESCRIPTIONsoftflowd is a software implementation of a flow-based network traffic
monitor. softflowd reads network traffic and gathers information about
active traffic flows. A "traffic flow" is communication between two IP
addresses or (if the overlying protocol is TCP or UDP) address/port
tuples.
The intended use of softflowd is as a software implementation of Cisco's
NetFlow(tm) traffic account system. softflowd supports data export using
versions 1, 5 or 9 of the NetFlow protocol. softflowd can also run in
statistics-only mode, where it just collects summary information. How‐
ever, too few statistics are collected to make this mode really useful
for anything other than debugging.
Network traffic may be obtained by listening on a promiscuous network
interface or by reading stored pcap(3) files, such as those written by
tcpdump(8). Traffic may be filtered with an optional bpf(4) program,
specified on the command-line as bpf_prog. softflowd is IPv6 capable and
will track IPv6 flows if the NetFlow export protocol supports it (cur‐
rently only NetFlow v.9 possesses an IPv6 export capability).
softflowd tries to track only active traffic flows. When the flow has
been quiescent for a period of time it is expired automatically. Flows
may also be expired early if they approach their traffic counts exceed
2Gb or if the number of flows being tracked exceeds max_flows (default:
8192). In this last case, flows are expired oldest-first.
Upon expiry, the flow information is accumulated into statistics which
may be viewed using softflowctl(8). If the -n option has been specified
the flow informaion is formatted in a UDP datagram which is compatible
with versions 1, 5 or 9 of Cisco's NetFlow(tm) accounting export format.
These records are sent to the specified host and port. The host may rep‐
resent a unicast host or a multicast group.
The command-line options are as follows:
-n host:port
Specify the host and port that the accounting datagrams are to be
sent to. The host may be specified using a hostname or using a
numeric IPv4 or IPv6 address. Numeric IPv6 addresses should be
encosed in square brackets to avoid ambiguity between the address
and the port. The destination port may be a portname listed in
services(5) or a numeric port.
-i interface
Specify a network interface on which to listen for traffic.
Either the -i or the -r options must be specified.
-r pcap_file
Specify that softflowd should read from a pcap(3) packet capture
(such as one created with the -w option of tcpdump(8)) file
rather than a network interface. softflowd processes the whole
capture file and only expires flows when max_flows is exceeded.
In this mode, softflowd will not fork and will automatically
print summary statistics before exiting.
-p pidfile
Specify an alternate location to store the process-id when in
daemon mode. Default is /var/run/softflowd.pid
-c ctlsock
Specify an alternate location for the remote control socket in
daemon mode. Default is /var/run/softflowd.pid
-m max_flows
Specifies the maximum number of flow to concurrently track. If
this limit is exceeded, the flows which have least recently seen
traffic are forcibly expired. In practice, the actual maximum
may briefly exceed this limit by a small amount as expiry pro‐
cessing happens less frequently than traffic collection. The
default is 8192 flows, which corresponds to slightly less than
800k of working data.
-t timeout_name=time
Set the timeout names timeout_name to time Refer to the Timeouts
section for the valid timeout names and their meanings. The time
parameter may be specified using one of the formats explained in
the Time Formats section below.
-d Specify that softflowd should not fork and daemonise itself.
-6 Forces softflowd To track IPv6 flows even if the NetFlow export
protocol does not support reporting them. This is useful for
debugging and statistics gathering only.
-D Places softflowd in a debugging mode. This implies the -d and -6
flags and turns on additional debugging output.
-h Displays commandline usage information.
-L hoplimit
Sets the IPv4 TTL or the IPv6 hop limit to hoplimit. softflowd
will use the default system TTL when exporting flows to a unicast
host. When exporting to a multicast group, the default TTL will
be 1 (i.e. link-local).
-T track_level
Specifies what flow elements softflowd should be used to define a
flow. track_level may be one of: “full” (track everything in the
flow, the default), “proto” (track source and destination
addresses and protocol), or “ip” (only track source and destina‐
tion addresses). Selecting either of the latter options will
produce flows with less information in them (e.g. TCP/UDP ports
will not be recorded). This will cause flows to be consolidated,
reducing the quantity of output and CPU load that softflowd will
place on the system at the cost of some detail.
Any further commandline arguments will be concatenated together and
applied as a bpf(4) packet filter. This filter will cause softflowd to
ignore the specified traffic.
Timeouts
softflowd will expire quiescent flows after user-configurable periods.
The exact timeout used depends on the nature of the flow. The various
timeouts that may be set from the command-line (using the -t option) and
their meanings are:
general
This is the general timeout applied to all traffic unless over‐
ridden by one of the other timeouts.
tcp This is the general TCP timeout, applied to open TCP connections.
tcp.rst
This timeout is applied to a TCP connection when a RST packet has
been sent by one or both endpoints.
tcp.fin
This timeout is applied to a TCP connection when a FIN packet has
been sent by both endpoints.
udp This is the general UDP timeout, applied to all UDP connections.
maxlife
This is the maximum lifetime that a flow may exist for. All
flows are forcibly expired when they pass maxlife seconds. To
disable this feature, specify a maxlife of 0.
expint Specify the interval between expiry checks. Increase this to
group more flows into a NetFlow packet. To disable this feature,
specify a expint of 0.
Flows may also be expired if there are not enough flow entries to hold
them or if their traffic exceeds 2Gb in either direction. softflowctl(8)
may be used to print information on the average lifetimes of flows and
the reasons for their expiry.
Time Formats
softflowd command-line arguments that specify time may be expressed using
a sequence of the form: time[qualifier], where time is a positive integer
value and qualifier is one of the following:
<none> seconds
s | S seconds
m | M minutes
h | H hours
d | D days
w | W weeks
Each member of the sequence is added together to calculate the total time
value.
Time format examples:
600 600 seconds (10 minutes)
10m 10 minutes
1h30m 1 hour 30 minutes (90 minutes)
Run-time Control
A daemonised softflowd instance may be controlled using the
softflowctl(8) command. This interface allows one to shut down the dae‐
mon, force expiry of all tracked flows and extract debugging and summary
data. Also, upon receipt of a SIGTERM or softflowd will cause softflowd
to exit, after expiring all flows (and thus sending flow export packets
if --n was specified on the commandline). If you do not want to export
flows upon shutdown, clear them first with softflowctl(8).
EXAMPLESsoftflowd-i fxp0
This commandlie will cause softflowd to listen on interface fxp0
and to run in statistics gathering mode only (i.e no NetFlow data
export).
softflowd-i fxp0 -n10.1.0.2:4432
This commandlie will cause softflowd to listen on interface fxp0
and to export NetFlow v.5 datagrams on flow expiry to a flow col‐
lector running on 10.1.0.2 port 4432.
softflowd-v 5 -i fxp0 -n10.1.0.2:4432 -m 65536 -t udp=1m30s
This commandline increases the number of concurrent flows that
softflowd will track to 65536 and increases the timeout for UDP
flows to 90 seconds.
softflowd-v 9 -i fxp0 -n224.0.1.20:4432 -L 64
This commandline will export NetFlow v.9 flows to the multicast
group 224.0.1.20. The export datagrams will have their TTL set
to 64, so multicast receivers can be many hops away.
softflowd-i fxp0 -p /var/run/sfd.pid.fxp0 -c /var/run/sfd.ctl.fxp0
This commandline specifies alternate locations for the control
socket and pid file. Similar commandlines are useful when run‐
ning multiple instances of softflowd on a single machine.
FILES
/var/run/softflowd.pid
This file stores the process-id when softflowd is in daemon mode.
This location may be overridden using the -p command-line option.
/var/run/softflowd.ctl
This is the remote control socket. softflowd listens on this
socket for commands from softflowctl(8). This location may be
overridden using the -c command-line option.
BUGS
Currently softflowd does not handle maliciously fragmented packets prop‐
erly, i.e. packets fragemented such that the UDP or TCP header does not
fit into the first fragment. It will product correct traffic counts when
presented with maliciously fragmented packets, but will not record TCP or
UDP port information.
AUTHORS
Damien Miller <djm@mindrot.org>
SEE ALSOsoftflowctl(8), tcpdump(8), pcap(3), bpf(4)
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_0/nfc_ug/nfcform.htm
BSD October 14, 2002 BSD
