PFLOW(4) OpenBSD Programmer's Manual PFLOW(4)NAME
pflow - kernel interface for pflow data export
SYNOPSIS
pseudo-device pflow
DESCRIPTION
The pflow interface is a pseudo-device which exports pflow accounting
data from the kernel using udp(4) packets. pflow is compatible with
netflow v5. The data is extracted from the pf(4) state table.
Multiple pflow interfaces can be created at runtime using the ifconfig
pflowN create command. Each interface must be configured with a flow
receiver IP address and port number.
Only states created by a rule marked with the pflow keyword are exported
by the pflow interface.
The pflow interface will attempt to export multiple pflow records in one
UDP packet, but will not hold a record for longer than 30 seconds. The
packet size and thus the maximum number of flows is controlled by the mtu
parameter of ifconfig(8).
Each packet seen on this interface has one header and a variable number
of flows. The header indicates the version of the protocol, number of
flows in the packet, a unique sequence number, system time, and an engine
ID and type. Header and flow structs are defined in <net/if_pflow.h>.
There is a one-to-one correspondence between packets seen by bpf(4) on
the pflow interface and packets sent out to the flow receiver. That is,
a packet with 30 flows on pflow means that the same 30 flows were sent
out to the receiver.
The pflow source and destination addresses are controlled by ifconfig(8).
flowsrc is the sender IP address of the UDP packet which can be used to
identify the source of the data on the pflow collector. flowdst defines
the collector IP address and the port. The flowdst IP address and port
must be defined to enable the export of flows.
For example, the following command sets 10.0.0.1 as the source and
10.0.0.2:1234 as destination:
# ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:1234
SEE ALSOnetintro(4), pf(4), udp(4), pf.conf(5), ifconfig(8), tcpdump(8)HISTORY
The pflow device first appeared in OpenBSD 4.5.
OpenBSD 4.9 November 27, 2009 OpenBSD 4.9