EVOLUTION-MANAGER

Edit File: n2disk.8

.\" This file Copyright 1998-2012 ntop.org .\" . .de It .TP 1.2 .B "\\$1 " .. .de It2 .TP 1.2 .B "\\$1 | \\$2" .. .TH N2DISK 8 "February 2016 (n2disk 2.3)" .SH NAME n2disk \- network traffic recorder application .SH SYNOPSIS .B n2disk .RB [ @filename ] .RB [ --interface | -i .IR device ] .RB [ --active-wait | -g ] .RB [ --poll-duration | -q .IR duration ] .RB [ --snaplen | -s .IR snaplen ] .RB [ --sample-rate | -y .IR rate ] .RB [ --filter | -f .IR filter ] .RB [ --fast-filter | -F .IR filter ] .RB [ --time-pulse | -S .IR core_id ] .RB [ --no-timestamp | -T ] .RB [ --simulation-mode | -e .IR mode ] .RB [ --chunk-len | -C .IR len ] .RB [ --journaling | -j ] .RB [ --buffer-len | -b .IR len ] .RB [ --dump-directory | -o .IR directory ] .RB [ --archive-directory | -O .IR directory ] .RB [ --max-file-len | -p .IR len ] .RB [ --max-file-duration | -t .IR duration ] .RB [ --max-file-packets | -N .IR number ] .RB [ --archive | -a ] .RB [ --max-num-files | -m .IR number ] .RB [ --max-nested-dirs | -n .IR number ] .RB [ --file-prefix | -x .IR prefix ] .RB [ --disable-direct-io | -r ] .RB [ --index | -I ] .RB [--index-version|-1] .RB [ --timeline-dir | -A .IR directory ] .RB [ --no-index-compression | -D ] .RB [ --extended-index | -E .IR type ] .RB [ --index-tunnel-content | -G ] .RB [ --version | -V ] .RB [ --help | -h ] .RB [ --verbose | -v ] Unix options: .RB [ --reader-cpu-affinity | -c .IR id ] .RB [ --writer-cpu-affinity | -w .IR id ] .RB [ --unprivileged-user | -u .IR username ] .RB [ --pid | -P .IR file ] .RB [ --syslog | -l ] PF_RING only options: .RB [ --nanoseconds | -d ] Multithreaded version options: .RB [ --reader-threads | -R .IR ids ] .SH DESCRIPTION .B n2disk is a network traffic recorder application. It can capture full-sized network packets at multi-Gigabit rate (above 10 Gigabit/s on adequate hardware) from a live network interface, and write them into files without any packet loss. .B n2disk has been designed to write files into disks for very long periods, you have to specify a maximum number of distinct file that may be written during the execution, and if .B n2disk reaches the maximum number of files, it will start recycling the files from the oldest one. This way you can have a complete view of the traffic for a fixed temporal window, knowing in advance the amount of disk space needed. .B n2disk uses the industry standard PCAP file format (regular and nanosecond) to dump packets into files so the resulting output can be easily integrated with existing third party or open source analysis tools. Furthermore it is able to produce an index on-the-fly, in order to quickly filter and retrieve interesting traffic. .PP .SH OPTIONS .It @filename The text of .B @filename is copied - ignoring line breaks and comment lines (anything following a #) - into the command line. .It2 --interface -i Ingress packet .I device . .It2 --active-wait -g Use active packet polling. .It2 --poll-duration -q Set max poll duration to .I duration (usec). Lower more CPU is used, better response time. Default: 10. .It2 --snaplen -s Set max packet capture length to .I snaplen . Default: 1514. .It2 --sample-rate -y Packet .I rate (e.g. 100 means 1:100 sampling). .It2 --filter -f BPF ingress packet .I filter (tcpdump-like). .It2 --fast-filter -F Faster replacement for BPF ingress packet filter. .I filter can be specified using a BPF-like syntax. .It2 --time-pulse -S Enable time pulse thread and bind it to the core .I id . .It2 --nanoseconds -d Dump timestamps in nsec format. .It2 --no-timestamp -T Do not compute timestamps in n2disk. .It2 --simulation-mode -e Simulation .I mode (debug only). 1: Test max dump speed(simulate capture), 2: Test max capture speed (simulate storage). .It2 --chunk-len -C .I len is the size (KB) of the chunk written to disk (must be multiple of 4096). Default: 64 KB. .It2 --journaling -j Enable journaling. .It2 --buffer-len -b Use buffer of length .I len (MBytes). .It2 --dump-directory -o .I directory where dump files will be saved. .It2 --archive-directory -O .I directory where dump files will be archived(slower disks). The -a option is overwritten when using it. .It2 --max-file-len -p Set the max pcap file .I len (MBytes). .It2 --max-file-duration -t Set the max pcap file .I duration (sec). .It2 --max-file-packets -N Max .I number of packets per pcap file. Default: 0 (no max duration). .It2 --archive -a Archive pcap file (rename to .old) instead of overwriting if already present on disk. .It2 --max-num-files -m Max .I number of files before restarting file name. .It2 --max-nested-dirs -n Max .I number of nested dump sub-directories. .It2 --file-prefix -x Dump file .I prefix . .It2 --disable-direct-io -r Disable Direct I/O (experts only). .It2 --index -I Create pcap-index on-the-fly. .It2 [--index-version|-1] Soecify the index version. The default is 1 (legacy index), but also 2 is supported for using the new flow-based index .It2 --timeline-dir -A Create time-arranged directories for produced pcaps and indexes in .I directory . .It2 --no-index-compression -D Disable index compression. .It2 --extended-index -E Extended index type. Default 0, 1 adds per-packet timestamp. .It2 --index-tunnel-content -G Compute index on tunnel content (GTP-U) .It2 --reader-threads -R Enable multithread support and bind reader threads to the specified core .I ids (e.g. 0,1,2,3). .It2 --reader-cpu-affinity -c Binds the reader thread to the specified core .I id . .It2 --writer-cpu-affinity -w Binds the writer thread to the specified core .I id . Note: the first available CPU corresponds to 0. .It2 --unprivileged-user -u Use .I username instead of nobody when dropping privileges. .It2 --pid -P Set the pid .I file . .It2 --version -V Print application version. .It2 --help -h Print the help. .It2 --verbose -v Verbose. .It2 --syslog -l Dump trace messages to syslog. .SH EXAMPLES Basic example: .B n2disk -i dna0 -o /storage/dna0/ -b 1024 -C 1024 -p 512 -q 1 - S 0 -c 1 -w 2 Packet indexing: .B n2disk -i dna0 -o /storage/dna0/ -I -A /index/dna0/ -b 1024 -C 1024 -p 512 -q 1 -S 0 -c 1 -w 2 Multithreaded packet capture (3 threads): .B n2disk -i dna0 -o /storage/dna0/ -b 1024 -C 1024 -p 512 -q 1 - S 0 -c 1 -R 3,4,5 -w 2 .SH "SEE ALSO" .BR tcpdump (8), .BR pcap (3). .SH USER SUPPORT Commercial support is available upon request. Please see the ntop site for further info. Please send code patches to <patch@ntop.org>.