OpenBSD manual page server

Manual Page Search Parameters
PFLOW(4) Device Drivers Manual PFLOW(4)

pflowkernel interface for pflow data export

pseudo-device pflow

The pflow interface is a pseudo-device which exports pflow accounting data from the kernel using udp(4) packets. pflow is compatible with netflow version 5 and IPFIX (10). The data is extracted from the pf(4) state table.

Multiple pflow interfaces can be created at runtime using the ifconfig pflowN create command. Each interface must be configured with a flow receiver IP address and a flow receiver port number.

Only states created by a rule marked with the pflow keyword are exported by the pflow interface.

The pflow interface will attempt to export multiple pflow records in one UDP packet, but will not hold a record for longer than 30 seconds. The packet size and thus the maximum number of flows is controlled by the mtu parameter of ifconfig(8).

Each packet seen on this interface has one header and a variable number of flows. The header indicates the version of the protocol, number of flows in the packet, a unique sequence number, system time, and an engine ID and type. Header and flow structs are defined in <net/if_pflow.h>.

There is a one-to-one correspondence between packets seen by bpf(4) on the pflow interface and packets sent out to the flow receiver. That is, a packet with 30 flows on pflow means that the same 30 flows were sent out to the receiver.

The pflow source and destination addresses are controlled by ifconfig(8). flowsrc is the sender IP address of the UDP packet which can be used to identify the source of the data on the pflow collector. flowdst defines the collector IP address and the port. The flowdst IP address and port must be defined to enable the export of flows.

For example, the following command sets 10.0.0.1 as the source and 10.0.0.2:1234 as destination:

# ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:1234

The protocol is set to IPFIX with the following command:

# ifconfig pflow0 pflowproto 10

netintro(4), pf(4), udp(4), pf.conf(5), ifconfig(8), tcpdump(8)

B. Claise, Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information, RFC 5101, January 2008.

The pflow device first appeared in OpenBSD 4.5.

A state created by pfsync(4) can have a creation or expiration time before the machine came up. In this case, pflow pretends such flows were created or expired when the machine came up.

The IPFIX implementation is incomplete: The required transport protocol SCTP is not supported. Transport over TCP and DTLS protected flow export is also not supported.

March 29, 2014 OpenBSD-7.2