GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
TRAFD(8) FreeBSD System Manager's Manual TRAFD(8)

trafd
ip traffic collector daemon.

trafdump
Script to dump current traffic to disk.
trafsave
Script to save current traffic to disk.
trafstart
Startup script for trafd.
trafstop
Shutgown script for trafd.
trafd.sh
Start/stop script for trafd, placed to the ‘local startup directory’ (*/rc.d).

trafd [-dOprVX] [-c count] [-i iface] [-f ext] [-F file | expr]


trafdump [All | iface [...]]

trafsave [All | iface [...]]

trafstart [All | iface [...]]

trafstop [All | iface [...]]

trafd.sh start | stop

Trafd daemon listen specified interface and summ all ip packet sizes and sub-protocol data frame length (tcp, udp, icmp, igmp and other, listed in /etc/protocols protocols(5), or, if sub-protocol unknown, ip data frame length).

Trafd use Berkeley Packet Filter mechanism: open pseudo-device /dev/bpf* (see bpf(4)), read from it all ip packets and store into internal table following information:

  • source hostname or ip address
  • source ip port name or number (not stored with -X option)
  • destination hostname or ip address
  • destination ip port name or number (not stored with -X option)
  • protocol name
  • protocol data frame length
  • ip packet length (this is ip traffic value)

trafd store buffer to ‘dump’ file on the SIGHUP signal (used in trafdump script). Also it append traffic table to ‘save’ file and clear table where received the SIGINT signal (this used in trafsave script).

trafd records its process ID in the file /var/run/trafd.<iface> to assist dumping, saving and quitting.

Trafd is full-blooded daemon. After run it self-detached from the tty and running in background.

Good idea is using startup script for launch trafd in boot time. This method implemented in trafd.sh, using the rc.d mechanism (see /usr/local/etc/trafd.sh).

Into BPFT programs set also included two scripts: trafstart and trafstop (see /usr/local/bin/trafstart and /usr/local/bin/trafstop).

trafd use the system logger daemon syslogd (see syslogd(8)) for the logging various information.

Thus, it use options LOG_PID for log the process id and LOG_CONS for if cannot pass the message to syslogd it will attempt to write the message to console, use facility ‘daemon’ and levels ‘info’, ‘notice’, ‘warning’ and ‘error’. (Facility defined in include/traffic.h, see SYSLOG_FACILITY.)

If you want additional information about condition of your daemon, i.e. what is it doing and how do it do, then you should set syslog message level in your syslog.conf up to 'info'.

Before use of the trafd make sure that bpf support included into kernel and device /dev/bpf0 (/dev/bpf1, ...) is exist (analogous requrements to the tcpdump, see tcpdump(1)).

You must launch trafd from root or other user with writing right to /dev/bpf* devices.

We recomend: more often invoke trafdump via cron (see cron(8)) to avoid loss data as a result of system crash and invoke trafsave one per day (for example, using periodic (see periodic(8)) or /etc/daily.local) to have log file aligment by days. Log file is binary file with little size, average size per day approximate to several kilobytes.

Configure syslogd for collect trafd messages into /var/log/trafd.log (common for trafstart & other scripts), for example:

!trafd
*.* /var/log/trafd.log

After system crash (power drop & etc) need remove PID file: insert into one of the startup scripts (usually rc.local) line like this:

rm /var/run/trafd.ed1

count
Collate count number of packets and exit.
iface
Interface name to listen. Current supported types: ethernet, slip, ppp, loopback (see details in pcap(3) and tcpdump(1) man pages). See also ENVIRONMENT section of this man page.
ext
Specify extension for traffic save & dump files (interface name by default).
Print compiled packet-matching code and exit (see tcpdump(1) for details).
file
File with packet filter expression.
minsize
Minimal record summary size for save into file with collected traffic via trafsave. Records with values less minsize in the 'all' field summ to one and saved to last record (for decrease file size). Default value is 1024 bytes.
Turn off the packet-matching code optimizer (see pcap(3) for details).
Don't put the interface into promiscuous mode (don't effect to point-to point links, effected to the ethernet).
Attempt to resume data from dumped file if exist.
Print version number and exit.
Use only ip information (don't store ports and protocol, store ip data frame lenght in the ‘Data’ field).
expr
Packet filter expression (see tcpdump(1) for details).

1
Error (file not found, permissions denied & etc.)
0
Normal program complete: daemon started.
127
Illegal command line parameter(s).

SIGHUP
Backup collected traffic records into dump file.
SIGINT
Append collected traffic records into save file.
SIGTERM
 
SIGQUIT
Backup traffic and exit.

Set the name of the network interface for listen, same as ‘-i iface’ and -i overwrite it's value.

/var/log/trafd.log
Log file for trafstart, trafstop and trafd.sh
/var/trafd/trafd.*
Files with saved traffic statistic tables (binary).
/var/trafd/tmp/trafd.*
Files with traffic dumps (binary).
/var/tmp/trafd.*
Sockets for send data to trafstatd & etc. This files may be deleted at boot-time tmp cleaning process
/var/run/trafd.*
Trafd PID files

Version 4.0 of the trafd store traffic information in incompatible format with previous versions. (Hoverer if trafd compiled with #define LAYOUT=OLD then it use compatible with previous version format).

Tested on: BSDI BSD/386 1.0 (BPFT versions 1.0-2.0), FreeBSD 2.2.8 (BPFT version 2.0), FreeBSD 3.0 and above, FreeBSD 4.0 and above (BPFT version 3.0 and above).

BPFT versions 3.*, 4.* work only on FreeBSD 3.0 and above: requred library pcap (see pcap(3)) don't present in previous versions of the FreeBSD.

traflog(1), trafstatd(8), trafstat(1), trafshow(1), bpf(4).

Vladimir Vorobyev ⟨bob@turbo.nsk.su⟩
autor of the BPFT project, versions 1.0..2.0

Vitaly V. Belekhov ⟨vitaly@riss-telecom.ru⟩
3.0 release

Stas Degteff ⟨g@grumbler.org⟩
4.0 release, man pages

If trafd run on the slow, very busy computer or very fast ip channel then it can't read all packets from kernel and some packets is dropped. Trafd check this on each dump/save event and store dropped packets quantity to log (if to sislog's then write on ‘error’ level).
September 11, 2001 FreeBSD 13.1-RELEASE
Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.