Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  TRAFD (8)


trafd - ip traffic collector daemon.

  - Script to dump current traffic to disk.
  - Script to save current traffic to disk.
  - Startup script for trafd.
  - Shutgown script for trafd.
  - Start/stop script for trafd, placed to the 'local startup directory' ( */rc.d).


     Warnings and recommendations.
Exit Status
See Also


trafd [-dOprVX] [-c count] [-i iface] [-f ext] [ -F file | expr ]

trafdump [All | iface [...]] trafsave [All | iface [...]] trafstart [All | iface [...]] trafstop [All | iface [...]] start | stop


Trafd daemon listen specified interface and summ all ip packet sizes and sub-protocol data frame length (tcp, udp, icmp, igmp and other, listed in /etc/protocols protocols(5), or, if sub-protocol unknown, ip data frame length).

Trafd use Berkeley Packet Filter mechanism: open pseudo-device /dev/bpf* (see bpf(4)), read from it all ip packets and store into internal table following information:

  • source hostname or ip address
  • source ip port name or number (not stored with -X option)
  • destination hostname or ip address
  • destination ip port name or number (not stored with -X option)
  • protocol name
  • protocol data frame length
  • ip packet length (this is ip traffic value)

trafd store buffer to 'dump' file on the SIGHUP signal (used in trafdump script). Also it append traffic table to 'save' file and clear table where received the SIGINT signal (this used in trafsave script).

trafd records its process ID in the file /var/run/trafd.<iface> to assist dumping, saving and quitting.


Trafd is full-blooded daemon. After run it self-detached from the tty and running in background.

Good idea is using startup script for launch trafd in boot time. This method implemented in, using the rc.d mechanism (see /usr/local/etc/

Into BPFT programs set also included two scripts: trafstart and trafstop (see /usr/local/bin/trafstart and /usr/local/bin/trafstop).


trafd use the system logger daemon syslogd (see syslogd(8)) for the logging various information.

Thus, it use options LOG_PID for log the process id and LOG_CONS for if cannot pass the message to syslogd it will attempt to write the message to console, use facility 'daemon' and levels 'info', 'notice', 'warning' and 'error'. (Facility defined in include/traffic.h, see SYSLOG_FACILITY.)

If you want additional information about condition of your daemon, i.e. what is it doing and how do it do, then you should set syslog message level in your syslog.conf up to ’info’.

    Warnings and recommendations.

Before use of the trafd make sure that bpf support included into kernel and device /dev/bpf0( /dev/bpf1, ...) is exist (analogous requrements to the tcpdump, see tcpdump(1)).

You must launch trafd from root or other user with writing right to /dev/bpf* devices.

We recomend: more often invoke trafdump via cron (see cron(8)) to avoid loss data as a result of system crash and invoke trafsave one per day (for example, using periodic (see periodic(8)) or /etc/daily.local) to have log file aligment by days. Log file is binary file with little size, average size per day approximate to several kilobytes.

Configure syslogd for collect trafd messages into /var/log/trafd.log (common for trafstart & other scripts), for example:


    *.* /var/log/trafd.log

After system crash (power drop & etc) need remove PID file: insert into one of the startup scripts (usually rc.local) line like this:

    rm /var/run/trafd.ed1


-c count
  Collate count number of packets and exit.
-i iface
  Interface name to listen. Current supported types: ethernet, slip, ppp, loopback (see details in pcap(3) and tcpdump(1) man pages). See also ENVIRONMENT section of this man page.
-f ext Specify extension for traffic save & dump files (interface name by default).
-d Print compiled packet-matching code and exit (see tcpdump(1) for details).
-F file
  File with packet filter expression.
-m minsize
  Minimal record summary size for save into file with collected traffic via trafsave. Records with values less minsize in the ’all’ field summ to one and saved to last record (for decrease file size). Default value is 1024 bytes.
-O Turn off the packet-matching code optimizer (see pcap(3) for details).
-p Don’t put the interface into promiscuous mode (don’t effect to point-to point links, effected to the ethernet).
-r Attempt to resume data from dumped file if exist.
-V Print version number and exit.
-X Use only ip information (don’t store ports and protocol, store ip data frame lenght in the 'Data' field).
expr Packet filter expression (see tcpdump(1) for details).


1 Error (file not found, permissions denied & etc.)
0 Normal program complete: daemon started.
127 Illegal command line parameter(s).


SIGHUP Backup collected traffic records into dump file.
SIGINT Append collected traffic records into save file.
  Backup traffic and exit.


  Set the name of the network interface for listen, same as '-i iface' and -i overwrite it’s value.


  Log file for trafstart, trafstop and
  Files with saved traffic statistic tables (binary).
  Files with traffic dumps (binary).
  Sockets for send data to trafstatd & etc. This files may be deleted at boot-time tmp cleaning process
  Trafd PID files



Version 4.0 of the trafd store traffic information in incompatible format with previous versions. (Hoverer if trafd compiled with #define LAYOUT=OLD then it use compatible with previous version format).

Tested on: BSDI BSD/386 1.0 ( BPFT versions 1.0-2.0),
.Fx 2.2.8 ( BPFT version 2.0),
.Fx 3.0 and above,
.Fx 4.0 and above (BPFT version 3.0 and above).

BPFT versions 3.*, 4.* work only on
.Fx 3.0 and above: requred library pcap (see pcap(3)) don’t present in previous versions of the
.Fx .


traflog(1), trafstatd(8), trafstat(1), trafshow(1), bpf(4).


.An Vladimir Vorobyev Aq

    autor of the BPFT project, versions 1.0..2.0

.An Vitaly V. Belekhov Aq

    3.0 release

.An Stas Degteff Aq

    4.0 release, man pages


If trafd run on the slow, very busy computer or very fast ip channel then it can’t read all packets from kernel and some packets is dropped. Trafd check this on each dump/save event and store dropped packets quantity to log (if to sislog’s then write on 'error' level).
Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.