|Specify the host and port that the accounting datagrams are to be sent to. The host may be specified using a hostname or using a numeric IPv4 or IPv6 address. Numeric IPv6 addresses should be encosed in square brackets to avoid ambiguity between the address and the port. The destination port may be a portname listed in services(5) or a numeric port.|
|Specify a network interface on which to listen for traffic. Either the -i or the -r options must be specified.|
|Specify that softflowd should read from a pcap(3) packet capture (such as one created with the -w option of tcpdump(8)) file rather than a network interface. softflowd processes the whole capture file and only expires flows when max_flows is exceeded. In this mode, softflowd will not fork and will automatically print summary statistics before exiting.|
|Specify an alternate location to store the process-id when in daemon mode. Default is /var/run/softflowd.pid|
|Specify an alternate location for the remote control socket in daemon mode. Default is /var/run/softflowd.pid|
|Specifies the maximum number of flow to concurrently track. If this limit is exceeded, the flows which have least recently seen traffic are forcibly expired. In practice, the actual maximum may briefly exceed this limit by a small amount as expiry processing happens less frequently than traffic collection. The default is 8192 flows, which corresponds to slightly less than 800k of working data.|
|Set the timeout names timeout_name to time Refer to the Timeouts section for the valid timeout names and their meanings. The time parameter may be specified using one of the formats explained in the Time Formats section below.|
|-d||Specify that softflowd should not fork and daemonise itself.|
|-6||Forces softflowd To track IPv6 flows even if the NetFlow export protocol does not support reporting them. This is useful for debugging and statistics gathering only.|
|-D||Places softflowd in a debugging mode. This implies the -d and -6 flags and turns on additional debugging output.|
|-h||Displays commandline usage information.|
|Sets the IPv4 TTL or the IPv6 hop limit to hoplimit. softflowd will use the default system TTL when exporting flows to a unicast host. When exporting to a multicast group, the default TTL will be 1 (i.e. link-local).|
|Specifies what flow elements softflowd should be used to define a flow. track_level may be one of: "full" (track everything in the flow, the default), "proto" (track source and destination addresses and protocol), or "ip" (only track source and destination addresses). Selecting either of the latter options will produce flows with less information in them (e.g. TCP/UDP ports will not be recorded). This will cause flows to be consolidated, reducing the quantity of output and CPU load that softflowd will place on the system at the cost of some detail.|
Any further commandline arguments will be concatenated together and applied as a bpf(4) packet filter. This filter will cause softflowd to ignore the specified traffic.
softflowd will expire quiescent flows after user-configurable periods. The exact timeout used depends on the nature of the flow. The various timeouts that may be set from the command-line (using the -t option) and their meanings are:
general This is the general timeout applied to all traffic unless overridden by one of the other timeouts. tcp This is the general TCP timeout, applied to open TCP connections. tcp.rst This timeout is applied to a TCP connection when a RST packet has been sent by one or both endpoints. tcp.fin This timeout is applied to a TCP connection when a FIN packet has been sent by both endpoints. udp This is the general UDP timeout, applied to all UDP connections. maxlife This is the maximum lifetime that a flow may exist for. All flows are forcibly expired when they pass maxlife seconds. To disable this feature, specify a maxlife of 0. expint Specify the interval between expiry checks. Increase this to group more flows into a NetFlow packet. To disable this feature, specify a expint of 0.
Flows may also be expired if there are not enough flow entries to hold them or if their traffic exceeds 2Gb in either direction. softflowctl(8) may be used to print information on the average lifetimes of flows and the reasons for their expiry.
softflowd command-line arguments that specify time may be expressed using a sequence of the form:
.Sm off time [qualifier],
.Sm on where time is a positive integer value and qualifier is one of the following:
<none> seconds s | S seconds m | M minutes h | H hours d | D days w | W weeks
Each member of the sequence is added together to calculate the total time value.
Time format examples:
600 600 seconds (10 minutes) 10m 10 minutes 1h30m 1 hour 30 minutes (90 minutes)
A daemonised softflowd instance may be controlled using the softflowctl(8) command. This interface allows one to shut down the daemon, force expiry of all tracked flows and extract debugging and summary data. Also, upon receipt of a SIGTERM or softflowd will cause softflowd to exit, after expiring all flows (and thus sending flow export packets if --n was specified on the commandline). If you do not want to export flows upon shutdown, clear them first with softflowctl(8).
softflowd -i fxp0 This commandlie will cause softflowd to listen on interface fxp0 and to run in statistics gathering mode only (i.e no NetFlow data export). softflowd -i fxp0 -n10.1.0.2:4432 This commandlie will cause softflowd to listen on interface fxp0 and to export NetFlow v.5 datagrams on flow expiry to a flow collector running on 10.1.0.2 port 4432. softflowd -v 5 -i fxp0 -n10.1.0.2:4432 -m 65536 -t udp=1m30s This commandline increases the number of concurrent flows that softflowd will track to 65536 and increases the timeout for UDP flows to 90 seconds. softflowd -v 9 -i fxp0 -n220.127.116.11:4432 -L 64 This commandline will export NetFlow v.9 flows to the multicast group 18.104.22.168. The export datagrams will have their TTL set to 64, so multicast receivers can be many hops away. softflowd -i fxp0 -p /var/run/sfd.pid.fxp0 -c /var/run/sfd.ctl.fxp0 This commandline specifies alternate locations for the control socket and pid file. Similar commandlines are useful when running multiple instances of softflowd on a single machine.
/var/run/softflowd.pid This file stores the process-id when softflowd is in daemon mode. This location may be overridden using the -p command-line option. /var/run/softflowd.ctl This is the remote control socket. softflowd listens on this socket for commands from softflowctl 8. This location may be overridden using the -c command-line option.
Currently softflowd does not handle maliciously fragmented packets properly, i.e. packets fragemented such that the UDP or TCP header does not fit into the first fragment. It will product correct traffic counts when presented with maliciously fragmented packets, but will not record TCP or UDP port information.
Damien Miller <firstname.lastname@example.org>
softflowctl(8), tcpdump(8), pcap(3), bpf(4)