Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OpenBSD-5.7)
Apropos / Subsearch:
optional field

PFLOW(4)                 BSD Kernel Interfaces Manual                 PFLOW(4)

     pflow -- kernel interface for pflow data export

     pseudo-device pflow

     The pflow interface is a pseudo-device which exports pflow accounting
     data from the kernel using udp(4) packets.  pflow is compatible with net-
     flow version 5 and IPFIX (10).  The data is extracted from the pf(4)
     state table.

     Multiple pflow interfaces can be created at runtime using the ifconfig
     pflowN create command.  Each interface must be configured with a flow
     receiver IP address and a flow receiver port number.

     Only states created by a rule marked with the pflow keyword are exported
     by the pflow interface.

     The pflow interface will attempt to export multiple pflow records in one
     UDP packet, but will not hold a record for longer than 30 seconds.  The
     packet size and thus the maximum number of flows is controlled by the mtu
     parameter of ifconfig(8).

     Each packet seen on this interface has one header and a variable number
     of flows.  The header indicates the version of the protocol, number of
     flows in the packet, a unique sequence number, system time, and an engine
     ID and type.  Header and flow structs are defined in <net/if_pflow.h>.

     There is a one-to-one correspondence between packets seen by bpf(4) on
     the pflow interface and packets sent out to the flow receiver.  That is,
     a packet with 30 flows on pflow means that the same 30 flows were sent
     out to the receiver.

     The pflow source and destination addresses are controlled by ifconfig(8).
     flowsrc is the sender IP address of the UDP packet which can be used to
     identify the source of the data on the pflow collector.  flowdst defines
     the collector IP address and the port.  The flowdst IP address and port
     must be defined to enable the export of flows.

     For example, the following command sets as the source and as destination:

           # ifconfig pflow0 flowsrc flowdst

     The protocol is set to IPFIX with the following command:

           # ifconfig pflow0 pflowproto 10

     netintro(4), pf(4), udp(4), pf.conf(5), ifconfig(8), tcpdump(8)

     B. Claise, Specification of the IP Flow Information Export (IPFIX)
     Protocol for the Exchange of IP Traffic Flow Information, RFC 5101,
     January 2008.

     The pflow device first appeared in OpenBSD 4.5.

     A state created by pfsync(4) can have a creation or expiration time
     before the machine came up.  In this case, pflow pretends such flows were
     created or expired when the machine came up.

     The IPFIX implementation is incomplete: The required transport protocol
     SCTP is not supported.  Transport over TCP and DTLS protected flow export
     is also not supported.

BSD                             March 24, 2017                             BSD