|PFLOW(4)||Device Drivers Manual||PFLOW(4)|
pflowinterface is a pseudo-device which exports
pflowaccounting data from the kernel using udp(4) packets.
pflowis compatible with netflow version 5, 9, and IPFIX (10). The data is extracted from the pf(4) state table.
pflow interfaces can be created
at runtime using the
Each interface must be configured with a flow receiver IP address and port
Only states created by a rule marked with the
pflow keyword are exported by the
pflow interface will attempt to export
pflow records in one UDP packet, but will
not hold a record for longer than 30 seconds. The packet size and thus the
maximum number of flows is controlled by the
Each packet seen on this interface has one header and a variable number of flows. The header indicates the version of the protocol, number of flows in the packet, a unique sequence number, system time, and an engine ID and type. Header and flow structs are defined in ⟨net/if_pflow.h⟩.
There is a one-to-one correspondence between packets seen by
bpf(4) on the
pflow interface and packets sent out to the flow
receiver. That is, a packet with 30 flows on
means that the same 30 flows were sent out to the receiver.
pflow source and destination addresses
are controlled by
flowsrc is the sender IP address of the UDP packet
which can be used to identify the source of the data on the
defines the collector IP address and the port. The
flowdst IP address and port must be defined to
enable the export of flows.
For example, the following command sets 10.0.0.1 as the source and 10.0.0.2:1234 as destination:
# ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:1234
The protocol is set to IPFIX with the following command:
# ifconfig pflow0 pflowproto 10
Cisco Systems NetFlow Services Export Version 9, RFC 3954, October 2004.
Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information, RFC 5101, January 2008.
pflowdevice first appeared in OpenBSD 4.5.
|February 2, 2012||OpenBSD-5.1|