1fprobe-ulog(8)              System Manager's Manual             fprobe-ulog(8)
2
3
4

NAME

6       fprobe-ulog - a NetFlow probe
7
8

SYNOPSIS

10       fprobe-ulog [options] remote:port[/[local][/type]] ...
11
12

DESCRIPTION

14       fprobe-ulog  -  libipulog-based  tool that collect network traffic data
15       and emit it as NetFlow flows towards the specified collector.
16
17

OPTIONS

19       -h     Display short help
20
21       -U <mask>
22              ULOG group bitwise mask. [default=1]
23
24       -s <seconds>
25              How often scan for expired flows. [default=5]
26
27       -g <seconds>
28              Fragmented flow lifetime. [default=30]
29
30       -d <seconds>
31              Idle flow lifetime (inactive timer). [default=60]
32
33       -e <seconds>
34              Active flow lifetime (active timer). [default=300]
35
36       -n <version>
37              NetFlow version for use (1, 5, 7). [default=5]
38
39       -a <address>
40              Use address as source for NetFlow flow.
41
42       -X <rule[,...]>
43              Comma separated list of interface name to SNMP-index  conversion
44              rules.  Each rule consists of interface base name and SNMP-index
45              base separated by colon (e.g. ppp:200). Final SNMP-index is  sum
46              of corresponding SNMP-index base and interface number.
47              In the above example SNMP-index of interface ppp11 is 211.
48
49              If  interface  name  did not fit to any of conversion rules then
50              SNMP-index will be taken from kernel.
51
52       -M     Use the netfilter mark as Type Of Service value.
53
54       -b <flows>
55              Memory bulk size. [default=200 or 10000]
56              Note that  maximum  and  default  values  depends  on  compiling
57              options (--with-membulk parameter).
58
59       -m <kilobytes>
60              Memory limit for flows cache (0=no limit). [default=0]
61
62       -q <flows>
63              Pending queue length. [default=100]
64              Each  captured  packet  at first puts into special buffer called
65              `pending queue'. Purpose of this  buffer  is  to  separate  most
66              time-critical packet capture thread from other.
67
68       -B <kilobytes>
69              Kernel capture buffer size (0=don't change). [default=0]
70              Increase kernel capture buffer size is most adequate way to pre‐
71              vent packets loss.
72              Note that maximum allowed size of the buffer  in  Linux  limited
73              and  generally relatively small, so it should need to change the
74              maximum: sysctl -w net/core/rmem_max=4194304
75
76       -r <priority>
77              Real-time priority (0=disabled). [default=0]
78              If parameter greater then zero fprobe-ulog  will  use  real-time
79              scheduling  policy  to  prevent packets loss. Note that possible
80              values for this option depends on operating system.
81
82       -t <B:N>
83              Emitting rate limit (0:0=no limit). [default=0:0]
84              Produce N nanosecond delay after each B bytes sent. This  option
85              may  be  useful  with  slow interfaces and slow collectors. Note
86              that the suspension time may be longer  than  requested  because
87              the  argument  value is rounded up to an integer multiple of the
88              sleep resolution (it depends on operating system  and  hardware)
89              or because of the scheduling of other activity by the system.
90              See BUGS section.
91
92       -c <directory>
93              Directory to chroot to.
94
95       -u <user>
96              User to run as.
97
98       -v <level>
99              Maximum  displayed  log level. (0=EMERG, 1=ALERT, 2=CRIT, 3=ERR,
100              4=WARNING, 5=NOTICE, 6=INFO, 7=DEBUG) [default=6]
101
102       -l <[dst][:id]>
103              Log  destination  (0=none,  1=syslog,  2=stdout,   3=both)   and
104              log/pidfile identifier. [default=1]
105              This  option  allows  to  select  opportune  log destination and
106              process identifier. The identifier helps to distinguish  pidfile
107              and logs of one fprobe-ulog process from other.
108              Note  that  if  log destination contains `stdout' (equal 2 or 3)
109              fprobe-ulog will run in foreground.
110
111       remote:port/local/type
112              Parameters remote and port are respectively define  address  and
113              port of the NetFlow collector.
114              The local parameter allows binding certain local IP address with
115              specified collector. If the parameter is omitted the  value  (if
116              any) of -a option will be used.
117              The  type  parameter determines emitting behavior. It may be `m'
118              for mirroring (by default) and `r'  for  collectors  round-robin
119              rotating.
120              You may specify multiple collectors.
121
122

EXAMPLES

124       fprobe-ulog -Xeth:100,ppp:200 localhost:2055
125
126       Reasonable configuration to run under heavy load:
127       fprobe-ulog -B4096 -r2 -q10000 -t10000:10000000 localhost:2055
128
129       Send  packets to collector at 10.1.1.1:2055 and distribute them between
130       collectors at 10.1.1.2:2055  and  at  10.1.1.3:2055  on  a  round-robin
131       basis:
132       fprobe-ulog 10.1.1.1:2055 10.1.1.2:2055//r 10.1.1.3:2055//r
133
134

BUGS

136       Slow interfaces and slow collectors.
137       There  are may be problems with slow interfaces and slow collectors. It
138       effects as emitted packets loss. On the one  hand  silent  non-blocking
139       sendto()  implementation can't guarantee that packet was really sent to
140       collector - it may be dropped by kernel due to outgoing buffer shortage
141       (slow  interface's problem) and on the other hand packet may be dropped
142       on collector's machine due the similar reason - incoming buffer  short‐
143       age (slow collector's problem).
144       Use -t option as workaround for this issue.
145
146       Locally originated packets and their timestamps.
147       Locally  originated  packets does not contains valid timestamps. There‐
148       fore fprobe-ulog fill timestamp  by  itself  on  act  of  receive  such
149       packet.  Unfortunately,  between capturing packet by netfilter code and
150       receiving it by fprobe-ulog may occur certain lags, thus timestamps  of
151       locally originated packets generally inexact.
152       It  is  possible  to  fix this problem entirely by trivial kernel patch
153       (see contrib/ipt_ULOG.patch).
154
155

SEE ALSO

157       iptables(8)
158       http://freshmeat.net/projects/ulogd
159       http://www.cisco.com/go/netflow
160
161
162
163fprobe-ulog 1.1                   2005-01-29                    fprobe-ulog(8)
Impressum