1fprobe-ulog(8) System Manager's Manual fprobe-ulog(8)
2
6 fprobe-ulog - a NetFlow probe
7
10 fprobe-ulog [options] remote:port[/[local][/type]] ...
11
14 fprobe-ulog - libipulog-based tool that collect network traffic data
15 and emit it as NetFlow flows towards the specified collector.
16
19 -h Display short help
20 -U <mask>
22 ULOG group bitwise mask. [default=1]
23 -s <seconds>
25 How often scan for expired flows. [default=5]
26 -g <seconds>
28 Fragmented flow lifetime. [default=30]
29 -d <seconds>
31 Idle flow lifetime (inactive timer). [default=60]
32 -e <seconds>
34 Active flow lifetime (active timer). [default=300]
35 -n <version>
37 NetFlow version for use (1, 5, 7). [default=5]
38 -a <address>
40 Use address as source for NetFlow flow.
41 -X <rule[,...]>
43 Comma separated list of interface name to SNMP-index conversion
44 rules. Each rule consists of interface base name and SNMP-index
45 base separated by colon (e.g. ppp:200). Final SNMP-index is sum
46 of corresponding SNMP-index base and interface number.
47 In the above example SNMP-index of interface ppp11 is 211.
48 If interface name did not fit to any of conversion rules then
50 SNMP-index will be taken from kernel.
51 -M Use the netfilter mark as Type Of Service value.
53 -b <flows>
55 Memory bulk size. [default=200 or 10000]
56 Note that maximum and default values depends on compiling
57 options (--with-membulk parameter).
58 -m <kilobytes>
60 Memory limit for flows cache (0=no limit). [default=0]
61 -q <flows>
63 Pending queue length. [default=100]
64 Each captured packet at first puts into special buffer called
65 `pending queue'. Purpose of this buffer is to separate most
66 time-critical packet capture thread from other.
67 -B <kilobytes>
69 Kernel capture buffer size (0=don't change). [default=0]
70 Increase kernel capture buffer size is most adequate way to pre‐
71 vent packets loss.
72 Note that maximum allowed size of the buffer in Linux limited
73 and generally relatively small, so it should need to change the
74 maximum: sysctl -w net/core/rmem_max=4194304
75 -r <priority>
77 Real-time priority (0=disabled). [default=0]
78 If parameter greater then zero fprobe-ulog will use real-time
79 scheduling policy to prevent packets loss. Note that possible
80 values for this option depends on operating system.
81 -t <B:N>
83 Emitting rate limit (0:0=no limit). [default=0:0]
84 Produce N nanosecond delay after each B bytes sent. This option
85 may be useful with slow interfaces and slow collectors. Note
86 that the suspension time may be longer than requested because
87 the argument value is rounded up to an integer multiple of the
88 sleep resolution (it depends on operating system and hardware)
89 or because of the scheduling of other activity by the system.
90 See BUGS section.
91 -c <directory>
93 Directory to chroot to.
94 -u <user>
96 User to run as.
97 -v <level>
99 Maximum displayed log level. (0=EMERG, 1=ALERT, 2=CRIT, 3=ERR,
100 4=WARNING, 5=NOTICE, 6=INFO, 7=DEBUG) [default=6]
101 -l <[dst][:id]>
103 Log destination (0=none, 1=syslog, 2=stdout, 3=both) and
104 log/pidfile identifier. [default=1]
105 This option allows to select opportune log destination and
106 process identifier. The identifier helps to distinguish pidfile
107 and logs of one fprobe-ulog process from other.
108 Note that if log destination contains `stdout' (equal 2 or 3)
109 fprobe-ulog will run in foreground.
110 remote:port/local/type
112 Parameters remote and port are respectively define address and
113 port of the NetFlow collector.
114 The local parameter allows binding certain local IP address with
115 specified collector. If the parameter is omitted the value (if
116 any) of -a option will be used.
117 The type parameter determines emitting behavior. It may be `m'
118 for mirroring (by default) and `r' for collectors round-robin
119 rotating.
120 You may specify multiple collectors.
121
124 fprobe-ulog -Xeth:100,ppp:200 localhost:2055
125 Reasonable configuration to run under heavy load:
127 fprobe-ulog -B4096 -r2 -q10000 -t10000:10000000 localhost:2055
128 Send packets to collector at 10.1.1.1:2055 and distribute them between
130 collectors at 10.1.1.2:2055 and at 10.1.1.3:2055 on a round-robin
131 basis:
132 fprobe-ulog 10.1.1.1:2055 10.1.1.2:2055//r 10.1.1.3:2055//r
133
136 Slow interfaces and slow collectors.
137 There are may be problems with slow interfaces and slow collectors. It
138 effects as emitted packets loss. On the one hand silent non-blocking
139 sendto() implementation can't guarantee that packet was really sent to
140 collector - it may be dropped by kernel due to outgoing buffer shortage
141 (slow interface's problem) and on the other hand packet may be dropped
142 on collector's machine due the similar reason - incoming buffer short‐
143 age (slow collector's problem).
144 Use -t option as workaround for this issue.
145 Locally originated packets and their timestamps.
147 Locally originated packets does not contains valid timestamps. There‐
148 fore fprobe-ulog fill timestamp by itself on act of receive such
149 packet. Unfortunately, between capturing packet by netfilter code and
150 receiving it by fprobe-ulog may occur certain lags, thus timestamps of
151 locally originated packets generally inexact.
152 It is possible to fix this problem entirely by trivial kernel patch
153 (see contrib/ipt_ULOG.patch).
154
157 iptables(8)
158 http://freshmeat.net/projects/ulogd
159 http://www.cisco.com/go/netflow
160fprobe-ulog 1.1 2005-01-29 fprobe-ulog(8)