MAN page from CentOS Other silk-flowcap-3.19.1-3.el8.x86_64.rpm


Section: SiLK Tool Suite (8)
Updated: 2021-01-04


flowcap - Capture network flow data and write it to temporary files 


  flowcap --destination-directory=DIR_PATH        --sensor-configuration=FILENAME [--probes=NAME[,NAME...]]        --max-file-size=SIZE [--fc-version=NUM]        [--timeout=TIMEOUT] [--clock-time[=OFFSET]]        [--freespace-minimum=SIZE] [--space-maximum-percent=NUM]        [--compression-method=COMP_METHOD]        { --log-destination=DESTINATION          | --log-pathname=FILE_PATH          | --log-directory=DIR_PATH [--log-basename=LOG_BASENAME]            [--log-post-rotate=COMMAND] }        [--log-level=LEVEL] [--log-sysfacility=NUMBER]        [--pidfile=FILE_PATH] [--no-chdir] [--no-daemon]

Help options:

  flowcap --sensor-configuration=FILE_PATH        { --verify-sensor-config | --verify-sensor-config=VERBOSE }  flowcap --help  flowcap --version


flowcap is a daemon that collects records from routers, flowmeters, and devices that produce network flow data. The records arewritten in the SiLK Flow record format to temporary files on disk.flowcap may collect NetFlow records (versions 5 or 9), IPFIXrecords (Internet Protocol Flow Information eXport) such as thosegenerated by yaf(1), or sFlow records.

The SiLK Flow files produced by flowcap are meant to be used onlyfor temporary storage. For longer-term storage, the records shouldprocessed by the rwflowpack(8) daemon which assigns values to eachrecord depending on where it was collected and writes the record toan hourly file that is stored in a directory tree.

As flowcap receives flow records, it stores them in files in thelocation specified by the --destination-directory switch. Thesefiles are closed on quantum boundaries, with one file per flow sourceper quantum. A quantum is either the amount of time represented bythe --timeout switch or the file size represented by the--max-file-size switch, whichever is reached first.

To transfer the files to rwflowpack, flowcap works in tandemwith the rwsender(8) program. rwsender polls the storagedirectory and sends the files it finds there to an rwreceiver(8)process for processing by rwflowpack.

flowcap produces files that are namedPROBE_YYYYMMDDhhmmss.XXXXXX, where PROBE is the name ofthe probe, YYYY is the current year, MM is the current month,DD is the current day, hh is the current hour, mm is thecurrent minute, ss is the current second, and XXXXXX is a randomsix-character string. 


Option names may be abbreviated if the abbreviation is unique or is anexact match for an option. A parameter to an option may be specifiedas --arg=param or --arg param, though the first form isrequired for options that take optional parameters.

For the following options, a SIZE may be given as an ordinaryinteger, or as a real number followed by a suffix "K", "M", "G", or"T", which represents the numerical value multiplied by 1,024 (kilo),1,048,576 (mega), 1,073,741,824 (giga), and 1,099,511,627,776 (tera),respectively. For example, 1.5K represents 1,536 bytes, or one andone-half kilobytes. 

General Configuration Switches

Store aggregated packed flow files in this directory for processing byrwsender. DIR_PATH must be a complete directory path. Thisswitch is required.
Give the path to the configuration file that flowcap consultsto determine how to collect flow records. The complete syntax of theconfiguration file is described in the sensor.conf(5) manual page;see also the SiLK Installation Handbook. This switch is required.
Choose which of the probes described in the sensor configuration filewill be used by flowcap. The default is to use all of the probesdefined in the configuration file. This switch instructs flowcapto only use the specifically named probes.
Set the approximate maximum size of flowcap files to SIZE bytes.If a flowcap file exceeds SIZE bytes, it is closed and a newfile will be created and used. In addition, before opening an outputfile, flowcap ensures there are SIZE bytes of free spaceavailable, and exits if there is not. This switch is required.
Set the maximum duration that a flowcap output file remains open toTIMEOUT seconds. When the --clock-time switch is given, thefirst duration may be less than TIMEOUT seconds. If the--timeout switch is not specified, flowcap uses a default of 60seconds.
Force flowcap to close its files at predictable times. When thisswitch is provided, flowcap closes its output files at OFFSETseconds after midnight (UTC of the current day) and at everyTIMEOUT seconds thereafter. The default value of OFFSET is 0.For example, --timeout=900 --clock-time=300 causes flowcap toclose its output files at the 05, 20, 35, and 50 minute points in eachhour. Even with this switch, files are still be closed if theyexceed the size specified by --max-file-size.
Choose the record version for the files of IPv4 flow records thatflowcap produces. Valid values are 2, 3, 4, and 5, and the defaultis 5. This switch is ignored for probes that support IPv6 addresses.
Set the minimum free space to maintain on the file system where the--destination-directory is located. By default, flowcap assumesthat it has full rein over the file system on which it writes itsfiles. The default is to leave 1GB of free space. If flowcapfills this space, it exits. Flows arriving during this time will belost. See also --space-maximum-percent.
Use no more than this percentage of the file system containing the--destination-directory. The default is to use no more than 98% ofthe file system. If flowcap fills this space, it exits. See also--freespace-minimum.
Specify the compression library to use when writing output files.When no compression method is specified,flowcap files are compressed using the "best" method, regardless ofthe default chosen when SiLK was compiled. The valid values forCOMP_METHOD are determined by which external libraries were foundwhen SiLK was compiled. To see the available compression methods andthe default method, use the --help or --version switch. SiLK cansupport the following COMP_METHOD values when the requiredlibraries are available.
Do not compress the output using an external library.
Use the zlib(3) library for compressing the output. Using zlibproduces the smallest output files at the cost of speed.
Use the lzo1x algorithm from the LZO real time compression libraryfor compression. This compression provides good compression with lessmemory and CPU overhead.
Use the snappy library for compression. This compression providesgood compression with less memory and CPU overhead. Since SiLK 3.13.0.
Use lzo1x if available, otherwise use snappy if available, otherwiseuse zlib if available.
Verify that the syntax of the sensor configuration file is correct andthen exit flowcap. If the file is incorrect or if it does notdefine any probes, an error message is printed and flowcap exitsabnormally. If the file is correct and no argument is provided to the--verify-sensor-config switch, flowcap simply exits with status0. If an argument (other than the empty string and 0) is providedto the switch, the names of the probes found in the sensorconfiguration file are printed to the standard output, and thenflowcap exits.
Print the available options and exit.
Print the version number and information about how SiLK wasconfigured, then exit the application.

Logging and Daemon Configuration Switches

The switches in this section determine the type of log messages thatflowcap generates and where those messages are written.

One of the following switches are required:

Specify the destination where logging messages are written. WhenDESTINATION begins with a slash "/", it is treated as a filesystem path and all log messages are written to that file; there is nolog rotation. When DESTINATION does not begin with "/", it mustbe one of the following strings:
Messages are not written anywhere.
Messages are written to the standard output.
Messages are written to the standard error.
Messages are written using the syslog(3) facility.
Messages are written to the syslog facility and to the standard error(this option is not available on all platforms).
Use DIR_PATH as the directory to which the log files are written;DIR_PATH must be a complete directory path. The log files have theform


where YYYYMMDD is the current date and LOG_BASENAME is theapplication name or the value passed to the --log-basename switchwhen provided. The log files are rotated: At midnight local time, anew log is opened, the previous file is closed, and the commandspecified by --log-post-rotate is invoked on the previous day's logfile. (Old log files are not removed by flowcap; the administratorshould use another tool to remove them.) When this switch isprovided, a process-ID file (PID) is also written in this directoryunless the --pidfile switch is provided.

Use FILE_PATH as the complete path to the log file. The log fileis not rotated.

The following switches are optional:

Set the severity of messages that are logged. The levels from mostsevere to least are: "emerg", "alert", "crit", "err", "warning","notice", "info", "debug". The default is "info".
Set the facility that syslog(3) uses for logging messages. Thisswitch takes a number as an argument. The default is a value thatcorresponds to "LOG_USER" on the system where flowcap is running.This switch produces an error unless --log-destination=syslog isspecified.
Use LOG_BASENAME in place of the application name in the name oflog files in the log directory. See the description of the--log-directory switch. This switch does not affect the name ofthe process-ID file.
Run COMMAND on the previous day's log file after log rotation.When this switch is not specified, the previous day's log file iscompressed with gzip(1). When the switch is specified andCOMMAND is the empty string, no action is taken on the log file.Each occurrence of the string %s in COMMAND is replaced with thefull path to the log file, and each occurrence of "%%" is replacedwith "%". If any other character follows "%", flowcap exits withan error. Specifying this switch without also using--log-directory is an error.
Set the complete path to the file in which flowcap writes itsprocess ID (PID) when it is running as a daemon. No PID file iswritten when --no-daemon is given. When this switch is notpresent, no PID file is written unless the --log-directory switchis specified, in which case the PID is written toLOGPATH/
Do not change directory to the root directory. When flowcapbecomes a daemon process, it changes its current directory to the rootdirectory so as to avoid potentially running on a mounted file system.Specifying --no-chdir prevents this behavior, which may be usefulduring debugging. The application does not change its directory when--no-daemon is given.
Force flowcap to run in the foreground---it does not become adaemon process. This may be useful during debugging.


When set to 1, flowcap writes messages to the log filedescribing each IPFIX and NetFlow v9 template it receives. This isequivalent to adding "show-templates" to the "log-flags" setting foreach probe in the sensor.conf file. See the sensor.conf(5)manual page for the format of these messages.Since SiLK 3.8.2.
When set to 1, flowcap disables all warning messages generated bylibfixbuf. These warning messages include out-of-sequence packets,data records not having a corresponding template, record countdiscrepancies, and issues decoding list elements. Since SiLK3.10.0.


The location of this file must be specified by the--sensor-configuration switch. This file specifies probe blocksthat tell flowcap how to capture data. The syntax of this file isdescribed in the sensor.conf(5) manual page.


sensor.conf(5), rwflowpack(8), rwsender(8), rwreceiver(8),silk(7), yaf(1), syslog(3), zlib(3), gzip(1),SiLK Installation Handbook



General Configuration Switches
Logging and Daemon Configuration Switches

This document was created byman2html,using the manual pages.