1.\" $OpenBSD: pflow.4,v 1.9 2008/10/29 14:49:39 jmc Exp $ 2.\" 3.\" Copyright (c) 2008 Henning Brauer <henning@openbsd.org> 4.\" Copyright (c) 2008 Joerg Goltermann <jg@osn.de> 5.\" 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. 9.\" 10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALLWARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BELIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISINGOUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" 18.Dd $Mdocdate: October 29 2008 $ 19.Dt PFLOW 4 20.Os 21.Sh NAME 22.Nm pflow 23.Nd kernel interface for pflow data export 24.Sh SYNOPSIS 25.Cd "pseudo-device pflow" 26.Sh DESCRIPTION 27The 28.Nm 29interface is a pseudo-device which exports 30.Nm 31accounting data from the kernel using 32.Xr udp 4 33packets. 34.Nm 35is compatible with netflow v5. 36The data is extracted from the 37.Xr pf 4 38state table. 39.Pp 40Multiple 41.Nm 42interfaces can be created at runtime using the 43.Ic ifconfig pflow Ns Ar N Ic create 44command. 45Each interface must be configured with a flow receiver IP address and 46port number. 47.Pp 48Only states created by a rule marked with the 49.Ar pflow 50keyword are exported by the 51.Nm 52interface. 53.Pp 54The 55.Nm 56interface will attempt to export multiple 57.Nm 58records in one 59UDP packet, but will not hold a record for longer than 30 seconds. 60The packet size and thus the maximum number of flows is controlled by the 61.Cm mtu 62parameter of 63.Xr ifconfig 8 . 64.Pp 65Each packet seen on this interface has one header and a variable number of 66flows. 67The header indicates the version of the protocol, number of 68flows in the packet, a unique sequence number, system time, and an engine 69ID and type. 70Header and flow structs are defined in 71.Aq Pa net/if_pflow.h . 72.Pp 73There is a one-to-one correspondence between packets seen by 74.Xr bpf 4 75on the 76.Nm 77interface and packets sent out to the flow receiver. 78That is, a packet with 30 flows on 79.Nm 80means that the same 30 flows were sent out to the receiver. 81.Pp 82The 83.Nm 84source and destination addresses are controlled by 85.Xr ifconfig 8 . 86.Cm flowsrc 87is the sender IP address of the UDP packet which can be used 88to identify the source of the data on the 89.Nm 90collector. 91.Cm flowdst 92defines the collector IP address and the port. 93The 94.Cm flowdst 95IP address and port must be defined to enable the export of flows. 96.Pp 97For example, the following command sets 10.0.0.1 as the source 98and 10.0.0.2:1234 as destination: 99.Bd -literal -offset indent 100# ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:1234 101.Ed 102.Sh SEE ALSO 103.Xr netintro 4 , 104.Xr pf 4 , 105.Xr udp 4 , 106.Xr pf.conf 5 , 107.Xr ifconfig 8 , 108.Xr tcpdump 8 109.Sh HISTORY 110The 111.Nm 112device first appeared in 113.Ox 4.5 . 114