1.\" $OpenBSD: pflow.4,v 1.19 2014/03/29 11:26:03 florian Exp $ 2.\" 3.\" Copyright (c) 2008 Henning Brauer <henning@openbsd.org> 4.\" Copyright (c) 2008 Joerg Goltermann <jg@osn.de> 5.\" 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. 9.\" 10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" 18.Dd $Mdocdate: March 29 2014 $ 19.Dt PFLOW 4 20.Os 21.Sh NAME 22.Nm pflow 23.Nd kernel interface for pflow data export 24.Sh SYNOPSIS 25.Cd "pseudo-device pflow" 26.Sh DESCRIPTION 27The 28.Nm 29interface is a pseudo-device which exports 30.Nm 31accounting data from the kernel using 32.Xr udp 4 33packets. 34.Nm 35is compatible with netflow version 5 and IPFIX (10). 36The data is extracted from the 37.Xr pf 4 38state table. 39.Pp 40Multiple 41.Nm 42interfaces can be created at runtime using the 43.Ic ifconfig pflow Ns Ar N Ic create 44command. 45Each interface must be configured with a flow receiver IP address 46and a flow receiver port number. 47.Pp 48Only states created by a rule marked with the 49.Ar pflow 50keyword are exported by the 51.Nm 52interface. 53.Pp 54The 55.Nm 56interface will attempt to export multiple 57.Nm 58records in one 59UDP packet, but will not hold a record for longer than 30 seconds. 60The packet size and thus the maximum number of flows is controlled by the 61.Cm mtu 62parameter of 63.Xr ifconfig 8 . 64.Pp 65Each packet seen on this interface has one header and a variable number of 66flows. 67The header indicates the version of the protocol, number of 68flows in the packet, a unique sequence number, system time, and an engine 69ID and type. 70Header and flow structs are defined in 71.In net/if_pflow.h . 72.Pp 73There is a one-to-one correspondence between packets seen by 74.Xr bpf 4 75on the 76.Nm 77interface and packets sent out to the flow receiver. 78That is, a packet with 30 flows on 79.Nm 80means that the same 30 flows were sent out to the receiver. 81.Pp 82The 83.Nm 84source and destination addresses are controlled by 85.Xr ifconfig 8 . 86.Cm flowsrc 87is the sender IP address of the UDP packet which can be used 88to identify the source of the data on the 89.Nm 90collector. 91.Cm flowdst 92defines the collector IP address and the port. 93The 94.Cm flowdst 95IP address and port must be defined to enable the export of flows. 96.Pp 97For example, the following command sets 10.0.0.1 as the source 98and 10.0.0.2:1234 as destination: 99.Bd -literal -offset indent 100# ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:1234 101.Ed 102.Pp 103The protocol is set to IPFIX with the following command: 104.Bd -literal -offset indent 105# ifconfig pflow0 pflowproto 10 106.Ed 107.Sh SEE ALSO 108.Xr netintro 4 , 109.Xr pf 4 , 110.Xr udp 4 , 111.Xr pf.conf 5 , 112.Xr ifconfig 8 , 113.Xr tcpdump 8 114.Sh STANDARDS 115.Rs 116.%A B. Claise 117.%D January 2008 118.%R RFC 5101 119.%T "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information" 120.Re 121.Sh HISTORY 122The 123.Nm 124device first appeared in 125.Ox 4.5 . 126.Sh BUGS 127A state created by 128.Xr pfsync 4 129can have a creation or expiration time before the machine came up. 130In this case, 131.Nm 132pretends such flows were created or expired when the machine came up. 133.Pp 134The IPFIX implementation is incomplete: 135The required transport protocol SCTP is not supported. 136Transport over TCP and DTLS protected flow export is also not supported. 137