1.\" $OpenBSD: pflow.4,v 1.19 2014/03/29 11:26:03 florian Exp $2.\"3.\" Copyright (c) 2008 Henning Brauer <henning@openbsd.org>4.\" Copyright (c) 2008 Joerg Goltermann <jg@osn.de>5.\"6.\" Permission to use, copy, modify, and distribute this software for any7.\" purpose with or without fee is hereby granted, provided that the above8.\" copyright notice and this permission notice appear in all copies.9.\"10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.17.\"18.Dd $Mdocdate: March 29 2014 $19.Dt PFLOW 420.Os21.Sh NAME22.Nm pflow23.Nd kernel interface for pflow data export24.Sh SYNOPSIS25.Cd "pseudo-device pflow"26.Sh DESCRIPTION27The28.Nm29interface is a pseudo-device which exports30.Nm31accounting data from the kernel using32.Xrudp 433packets.34.Nm35is compatible with netflow version 5 and IPFIX (10).36The data is extracted from the37.Xrpf 438state table.39.Pp40Multiple41.Nm42interfaces can be created at runtime using the43.Ic ifconfig pflow Ns Ar N Ic create44command.45Each interface must be configured with a flow receiver IP address46and a flow receiver port number.47.Pp48Only states created by a rule marked with the49.Ar pflow50keyword are exported by the51.Nm52interface.53.Pp54The55.Nm56interface will attempt to export multiple57.Nm58records in one59UDP packet, but will not hold a record for longer than 30 seconds.60The packet size and thus the maximum number of flows is controlled by the61.Cm mtu62parameter of63.Xrifconfig 8 .64.Pp65Each packet seen on this interface has one header and a variable number of66flows.67The header indicates the version of the protocol, number of68flows in the packet, a unique sequence number, system time, and an engine69ID and type.70Header and flow structs are defined in71.Innet/if_pflow.h .72.Pp73There is a one-to-one correspondence between packets seen by74.Xrbpf 475on the76.Nm77interface and packets sent out to the flow receiver.78That is, a packet with 30 flows on79.Nm80means that the same 30 flows were sent out to the receiver.81.Pp82The83.Nm84source and destination addresses are controlled by85.Xrifconfig 8 .86.Cm flowsrc87is the sender IP address of the UDP packet which can be used88to identify the source of the data on the89.Nm90collector.91.Cm flowdst92defines the collector IP address and the port.93The94.Cm flowdst95IP address and port must be defined to enable the export of flows.96.Pp97For example, the following command sets 10.0.0.1 as the source98and 10.0.0.2:1234 as destination:99.Bd -literal -offset indent100# ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:1234101.Ed102.Pp103The protocol is set to IPFIX with the following command:104.Bd -literal -offset indent105# ifconfig pflow0 pflowproto 10106.Ed107.Sh SEE ALSO108.Xrnetintro 4 ,109.Xrpf 4 ,110.Xrudp 4 ,111.Xrpf.conf 5 ,112.Xrifconfig 8 ,113.Xrtcpdump 8114.Sh STANDARDS115.Rs116.%A B. Claise117.%D January 2008118.%R RFC 5101119.%T "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information"120.Re121.Sh HISTORY122The123.Nm124device first appeared in125.Ox 4.5 .126.Sh BUGS127A state created by128.Xrpfsync 4129can have a creation or expiration time before the machine came up.130In this case,131.Nm132pretends such flows were created or expired when the machine came up.133.Pp134The IPFIX implementation is incomplete:135The required transport protocol SCTP is not supported.136Transport over TCP and DTLS protected flow export is also not supported.137