# FlowCarp
[FlowCarp](https://flowcarp.com/) 根据行为而非端口号来识别网络流量中的应用层协议。FlowCarp 读取 PCAP、PcapNG 或 TZSP 流形式的封包数据,并输出其发现的流信息,包括为每个流检测到的应用层协议。
有关 FlowCarp 的更多信息,请访问 [FlowCarp 官方网站](https://flowcarp.com/)。
# 作为容器安装
从命令行安装 docker 容器:
`docker pull ghcr.io/netresec/flowcarp:latest`
或者更好的是,使用我们的 [docker-compose.yml](docker-compose.yml) 来安装 docker 容器:
```
curl -fsSL https://raw.githubusercontent.com/Netresec/FlowCarp/refs/heads/main/docker-compose.yml -o docker-compose.yml
docker compose up -d
```
# 环境变量
可以设置以下环境变量来配置 FlowCarp。
```
FC_CLEARCACHE Clear cached data and protocols
FC_DEBUG Log debug info
FC_FLUSH= Flush active flows every . For real-time monitoring. Can output flow duplicates.
FC_FORMAT= Flow output format, where can be:
CSV Comma separated values (default)
TSV Tab separated values
EveJson Suricata Eve JSON, alerts and flows
EveJsonAlert Suricata Eve JSON, alerts only
EveJsonFlow Suricata Eve JSON, flows only
ZeekConn Zeek conn log, flows only
ZeekNotice Zeek notice log, alerts only
FC_HELP Print command line argument help and quit
FC_HELPENV Print supported environment variables and quit
FC_INPUT= Network traffic/packet input, where can be:
FILE Read pcap(ng) file from path specified in FILE
URI Download pcap(ng) file from URI
- Read pcap(ng) stream from stdin
directory::PATH Search for pcap(ng) files in PATH, where can be:
Once Process files in PATH, then quit
OnceRecursive Process files in PATH and sub directories thereof, then quit
Monitor Process files in PATH, then monitor for new files to process in PATH
tcp[:IP]:PORT Start PCAP-over-IP listener on TCP port, for example tcp:57012. Default IP is 0.0.0.0
tcpconnect:IP:PORT Connect to a PCAP-over-IP server, such as PolarProxy or Fox-IT's pcap-broker.
tzsp[:IP]:PORT Listen for MikroTik TZSP stream(s) on UDP port, for example tzsp:37008. Default IP is 0.0.0.0
FC_KEY= Use license key to identify more protocols
FC_KEYFILE= Read license key from to identify more protocols
FC_LOGTIME Include timestamps in log output
FC_MODEL= Load custom protocol model from file (create with --output model)
FC_OUTPUT= Output flow data as , which can be any of:
FILE Write flow data to FILE
DIR Write flow data to new file in DIR
- Output flow data to stdout
tcp[:IP]:PORT Create flow output service listening on specified TCP port. Default IP is 0.0.0.0
tcpconnect:IP:PORT Send flow output to specified IP and TCP port
model:PROTO:[TAGS]:FILE Generate custom protocol model for PROTO from input packets and save it to .fcp FILE. Use comma separated TAGS, such as MALICIOUS,COINMINER (MALICIOUS is required to generate alerts).
ipfix:PORT NOT IMPLEMENTED
FC_PREVIEW Output early preview of active flows. For real-time monitoring. Can output flow duplicates.
FC_REALTIME Read input pcap data at maximum speed, with risk of dropping some frames
FC_TIMEOUT= Input timeout. Default = 0 (no timeout).
FC_VERBOSE Log more information to stderr
FC_VERSION Show version number and quit
FC_WEBSERVICE= Start pcap-to-flows web service on URI prefix, such as http://127.0.0.1:57080/ or http://+:57080/
```
有关 FlowCarp 的更多信息,请访问 [FlowCarp 官方网站](https://flowcarp.com/)。
# 作为容器安装
从命令行安装 docker 容器:
`docker pull ghcr.io/netresec/flowcarp:latest`
或者更好的是,使用我们的 [docker-compose.yml](docker-compose.yml) 来安装 docker 容器:
```
curl -fsSL https://raw.githubusercontent.com/Netresec/FlowCarp/refs/heads/main/docker-compose.yml -o docker-compose.yml
docker compose up -d
```
# 环境变量
可以设置以下环境变量来配置 FlowCarp。
```
FC_CLEARCACHE Clear cached data and protocols
FC_DEBUG Log debug info
FC_FLUSH=