92 lines
2.7 KiB
Groff
Executable File
92 lines
2.7 KiB
Groff
Executable File
.TH nfreplay 1 2009\-09\-09 "" ""
|
|
.SH NAME
|
|
nfreplay \- netflow replay program
|
|
.SH SYNOPSIS
|
|
.HP 5
|
|
.B nfreplay [options] [filter]
|
|
.SH DESCRIPTION
|
|
.B nfreplay
|
|
is the netflow replay program of the nfdump tool set.
|
|
It reads data from files stored by nfcapd and sents the netflow
|
|
data to a host or a multicat group. The filter syntax is equivalent
|
|
to nfdump. If a filter is supplied, only the matching flows are sent.
|
|
See the nfdump(1) man page for a detailed description of the filter
|
|
syntax. All records are sent as netflow version 5.
|
|
|
|
.SH OPTIONS
|
|
.TP 3
|
|
.B -H \fIremotehost
|
|
Send all flows to this remote host. Accepts a symbolic name or a IPv4/IPv6
|
|
IP address. Defaults to IPv4 localhost 127.0.0.1.
|
|
.TP 3
|
|
.B -j \fImcastgroup
|
|
Join this multicast group and send all flows to this group host. Accepts a
|
|
symbolic name or multicast IPv4/IPv6 IP address.
|
|
.TP 3
|
|
.B -p \fIport
|
|
Send all flows to this port on the remote side. Default is 9995.
|
|
.TP 3
|
|
.B -4
|
|
Forces nfreplay to send flows to a IPv4 address only. Can be used together with \-i
|
|
if the remote host has an IPv4 and IPv6 address record.
|
|
.TP 3
|
|
.B -6
|
|
Forces nfreplay to send flows to a IPv6 address only. Can be used together with \-i
|
|
if the remote host has an IPv4 and IPv6 address record.
|
|
.TP 3
|
|
.B -v \fInum
|
|
Send flows as netflow version \fInum\fR. \fB5\fR and \fB9\fR are supported. The
|
|
default is sending the flows as netflow version 5. In version 5 mode, IPv6 flows,
|
|
are skipped and 64bit counters are truncated to 32bit.
|
|
.TP 3
|
|
.B -d \fIusec
|
|
Delay each record by \fIusec\fR mirco seconds, to avoid overrun on the remote
|
|
side. Default is 10.
|
|
.TP 3
|
|
.B -b \fIbuffersize
|
|
Set send buffer size in bytes. Useful for large data to transfer. Default is
|
|
system dependent.
|
|
.TP 3
|
|
.B -r \fIinputfile
|
|
Read input data from \fIinputfile\fR. Default is read from stdin.
|
|
.TP 3
|
|
.B -t \fItimewin
|
|
Send only flows, which fall in the time window \fItimewin\fR, where
|
|
\fItimewin\fR is YYYY/MM/dd.hh:mm:ss[\-YYYY/MM/dd.hh:mm:ss]. Any parts of
|
|
the time spec may be omitted e.g YYYY/MM/dd expands to
|
|
YYYY/MM/dd.00:00:00\-YYYY/MM/dd.23:59:59 and sends all flow from a
|
|
given day.
|
|
.TP 3
|
|
.B -z \fInum
|
|
Flows are sent with their "real distribution" acrross time (with a speed coefficient)
|
|
-z 1 : 5 minutes of records will be sent in 5 minutes.
|
|
-z 20 : 5 minutes of record will be sent in 5/20 = 0.25 minutes.
|
|
.TP 3
|
|
.B -c \fInum
|
|
Limit number of records to send to the first \fInum\fR flows.
|
|
.TP 3
|
|
.B -V
|
|
Print nfreplay version and exit.
|
|
.TP 3
|
|
.B -h
|
|
Print help text on stdout with all options and exit.
|
|
.SH "RETURN VALUE"
|
|
Returns
|
|
.PD 0
|
|
.RS 4
|
|
0 No error. \fn
|
|
.P
|
|
255 Initialization failed.
|
|
.P
|
|
254 Error in filter syntax.
|
|
.P
|
|
250 Internal error.
|
|
.RE
|
|
.PD
|
|
.SH NOTES
|
|
.P
|
|
.SH "SEE ALSO"
|
|
nfcapd(1), nfdump(1), nfprofile(1)
|
|
.SH BUGS
|
|
|