NAME

ipcad.conf — ipcad configuration file

SYNOPSIS

/usr/local/etc/ipcad.conf

DESCRIPTION

The file /usr/local/etc/ipcad.conf contains configuration information for the ipcad(8) daemon. The ipcad.conf file consists of a series of configuration options describing the interfaces on which ipcad should be listening and other configuration data.

Global configuration

capture-ports { enable | disable };

Make ipcad account for UDP/TCP ports, IP protocol and ICMP types on a per-interface basis. This setting is relevant for RSH and interactive export methods only. Capturing UDP and TCP is disabled by default to maintain historic RSH output format compatibility. To selectively enable capturing ports on certain interfaces, specify the capture-ports between the appropriate interface configuration statements.

buffers = <number> [{ k | m }] ;

Defines a buffer size to use for transferring the data from the kernel. Using larger buffers may increase the performance by lowering the number of expensive context switches, whereas using smaller values improves responsiveness.

NOTE: This option has no effect on NetFlow operation.

Interface configuration

interface <face> [promisc] [input-only] [netflow-sampled] [netflow-disable] [filter "<pcap_filter>"] ;

Listen on specified interface using BPF or PCAP packet source. (Please refer to the Interface options section below).

interface ulog group <group> [, group <group> ...] [netflow-sampled] [netflow-disable] ;

Use Linux iptables' ULOG interface for packet capturing. You should configure the iptables to forward the packets into the appropriate group:

iptables -A OUTPUT -j ULOG --ulog-nlgroup <group>

Interface options:

promisc: Put interface into promiscuous mode. This enables listening for the packets which are not destined for this host and thus ipcad will count and display all the traffic within the local network. Note that the interface might be in promiscuous mode for some other reason.

input-only: Use kernel feature of counting only incoming packets.

NOTE: "input-only" directive must be supported by kernel. Probably, you were noticed about it during the compilation process if it was not supported. FreeBSD 3.x and elder kernels do not support this feature.

netflow-sampled: If the NetFlow export mechanism is used, this option instructs the interface to supply only one out of N packets to the NetFlow accounting code, thus lowering the CPU and memory requirements. The value of N is configured explicitly in a NetFlow configuration section.

NOTE: This option is NOT used to enable NetFlow on the interface, it just modifies the NetFlow behavior on this interface.

netflow-disable: By default, all interfaces are included into NetFlow accounting. This option is used to disable NetFlow accounting on a particular interface.

filter: Install a custom filter on packets instead of basic IP protocol filter. Requires libpcap (even if BPF is being used). May be employed to eliminate CPU overhead on passing unnecessary data between the kernel and user space (by installing the filter directly into the kernel).

IP aggregation

aggregate <ip>/<masklen> strip <maskbits>;

Aggregate addresses from the specified network (<ip>/<masklen>), by AND'ing with specified mask (<maskbits>). Use of aggregation helps to save memory space and recomendeed for efficiency.

aggregate <port_from>-<port_to> into <port>;

aggregate <port> into <port>;

Aggregate specified UDP/TCP ports range into a given port number. Use of aggregation helps to save memory space and recomendeed for efficiency.

RSH server configuration

rsh { enable | disable } [at <listen_ip>];

Enable/disable RSH server (disabled by default). Optionally, a server's IP address may be specified.

rsh [[<user>@]<host_addr>] [access] ;

Specifies an rsh access list entry. access values are:

admin Can shutdown ipcad
backup Can dump/restore/import accounting tables
default Can view and modify accounting tables
view-only Can view accounting tables
deny Deny all activity

rsh ttl = <ttl>;

Keep the IP time to live (TTL) value reasonably low to lower the possibility of remote attacks. Default is 3. This means that if you are trying to gather IP accounting from a distant (a few network "hops", see traceroute(1)) ipcad server using RSH, such attempts may fail.

rsh timeout = <seconds>;

Set rsh timeout for the same purpose.

dumpfile = <filename>;

Dump memory table to this file on exit and read on startup (refer to ipcad(8) and read about -s and -r options).

NOTE: This setting has no effect on NetFlow operation. The contents of the flow cache are flushed to the collector upon ipcad termination.

NetFlow export configuration

netflow export destination <collector-ip> <collector-port>;

Enable NetFlow information export to the specified destination. By default, ipcad does not export NetFlow information.

netflow export version { 1 | 5 };

Specify the NetFlow export format version. By default, version 5 is used.

netflow export timeout active <time-minutes>;

Configure the timer to expire active flows after the given value in minutes.

netflow export timeout inactive <time-seconds>;

Configure the timer to expire inactive flows after the given value in seconds.

Other options:

memory_limit = <number> [{ k | m | e }] ;

Defines a memory limit for storing the per-stream associations. Shortcuts are for kilobytes, megabytes or entries respectively.

chroot = </path>;

Chroot to this directory before processing.

uid = <number>;

Set this uid to be safe in the long run. Please change it if you're aware of the consequences. RSH service will NOT work if process is not privileged. Default is to not to change privileges.

gid = <number>;

Set this gid to be safe in the long run. Default is not to change privileges.

pidfile = <filename>;

File to keep the process PID in it. ipcad will also hold a lock. Creation of the PID file is done after chroot()'ing.

AUTHORS

Lev Walkin <vlm@lionet.info>