1.\" $OpenBSD: pflow.4,v 1.19 2014/03/29 11:26:03 florian Exp $ 2.\" 3.\" Copyright (c) 2008 Henning Brauer <henning@openbsd.org> 4.\" Copyright (c) 2008 Joerg Goltermann <jg@osn.de> 5.\" 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. 9.\" 10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" 18.Dd $Mdocdate: January 08 2024 $ 19.Dt PFLOW 4 20.Os 21.Sh NAME 22.Nm pflow 23.Nd kernel interface for pflow data export 24.Sh SYNOPSIS 25.Cd "pseudo-device pflow" 26.Sh DESCRIPTION 27The 28.Nm 29subsystem exports 30.Nm 31accounting data from the kernel using 32.Xr udp 4 33packets. 34.Nm 35is compatible with netflow version 5 and IPFIX (10). 36The data is extracted from the 37.Xr pf 4 38state table. 39.Pp 40Multiple 41.Nm 42interfaces can be created at runtime using the 43.Ic pflowctl Ns Ar N Ic -c 44command. 45Each interface must be configured with a flow receiver IP address 46and a flow receiver port number. 47.Pp 48Only states created by a rule marked with the 49.Ar pflow 50keyword are exported by 51.Nm . 52.Pp 53.Nm 54will attempt to export multiple 55.Nm 56records in one 57UDP packet, but will not hold a record for longer than 30 seconds. 58.Pp 59Each packet seen on this interface has one header and a variable number of 60flows. 61The header indicates the version of the protocol, number of 62flows in the packet, a unique sequence number, system time, and an engine 63ID and type. 64Header and flow structs are defined in 65.In net/pflow.h . 66.Pp 67The 68.Nm 69source and destination addresses are controlled by 70.Xr pflowctl 8 . 71.Cm src 72is the sender IP address of the UDP packet which can be used 73to identify the source of the data on the 74.Nm 75collector. 76.Cm dst 77defines the collector IP address and the port. 78The 79.Cm dst 80IP address and port must be defined to enable the export of flows. 81.Pp 82For example, the following command sets 10.0.0.1 as the source 83and 10.0.0.2:1234 as destination: 84.Bd -literal -offset indent 85# pflowctl -s pflow0 src 10.0.0.1 dst 10.0.0.2:1234 86.Ed 87.Pp 88The protocol is set to IPFIX with the following command: 89.Bd -literal -offset indent 90# pflowctl -s pflow0 proto 10 91.Ed 92.Sh SEE ALSO 93.Xr netintro 4 , 94.Xr pf 4 , 95.Xr udp 4 , 96.Xr pf.conf 5 , 97.Xr pflowctl 8 , 98.Xr tcpdump 8 99.Sh STANDARDS 100.Rs 101.%A B. Claise 102.%D January 2008 103.%R RFC 5101 104.%T "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information" 105.Re 106.Sh HISTORY 107The 108.Nm 109device first appeared in 110.Ox 4.5 111and was imported into 112FreeBSD 15.0 . 113.Sh BUGS 114A state created by 115.Xr pfsync 4 116can have a creation or expiration time before the machine came up. 117In this case, 118.Nm 119pretends such flows were created or expired when the machine came up. 120.Pp 121The IPFIX implementation is incomplete: 122The required transport protocol SCTP is not supported. 123Transport over TCP and DTLS protected flow export is also not supported. 124