Provided by: fprobe-ulog_1.1-7.3_amd64 
NAME
fprobe-ulog - a NetFlow probe
SYNOPSIS
fprobe-ulog [options] remote:port[/[local][/type]] ...
DESCRIPTION
fprobe-ulog - libipulog-based tool that collect network traffic data and emit it as
NetFlow flows towards the specified collector.
OPTIONS
-h Display short help
-U <mask>
ULOG group bitwise mask. [default=1]
-s <seconds>
How often scan for expired flows. [default=5]
-g <seconds>
Fragmented flow lifetime. [default=30]
-d <seconds>
Idle flow lifetime (inactive timer). [default=60]
-e <seconds>
Active flow lifetime (active timer). [default=300]
-n <version>
NetFlow version for use (1, 5, 7). [default=5]
-a <address>
Use address as source for NetFlow flow.
-X <rule[,...]>
Comma separated list of interface name to SNMP-index conversion rules. Each rule
consists of interface base name and SNMP-index base separated by colon (e.g.
ppp:200). Final SNMP-index is sum of corresponding SNMP-index base and interface
number.
In the above example SNMP-index of interface ppp11 is 211.
If interface name did not fit to any of conversion rules then SNMP-index will be
taken from kernel.
-M Use the netfilter mark as Type Of Service value.
-b <flows>
Memory bulk size. [default=200 or 10000]
Note that maximum and default values depends on compiling options (--with-membulk
parameter).
-m <kilobytes>
Memory limit for flows cache (0=no limit). [default=0]
-q <flows>
Pending queue length. [default=100]
Each captured packet at first puts into special buffer called `pending queue'.
Purpose of this buffer is to separate most time-critical packet capture thread from
other.
-B <kilobytes>
Kernel capture buffer size (0=don't change). [default=0]
Increase kernel capture buffer size is most adequate way to prevent packets loss.
Note that maximum allowed size of the buffer in Linux limited and generally
relatively small, so it should need to change the maximum: sysctl -w
net/core/rmem_max=4194304
-r <priority>
Real-time priority (0=disabled). [default=0]
If parameter greater then zero fprobe-ulog will use real-time scheduling policy to
prevent packets loss. Note that possible values for this option depends on
operating system.
-t <B:N>
Emitting rate limit (0:0=no limit). [default=0:0]
Produce N nanosecond delay after each B bytes sent. This option may be useful with
slow interfaces and slow collectors. Note that the suspension time may be longer
than requested because the argument value is rounded up to an integer multiple of
the sleep resolution (it depends on operating system and hardware) or because of
the scheduling of other activity by the system.
See BUGS section.
-c <directory>
Directory to chroot to.
-u <user>
User to run as.
-v <level>
Maximum displayed log level. (0=EMERG, 1=ALERT, 2=CRIT, 3=ERR, 4=WARNING, 5=NOTICE,
6=INFO, 7=DEBUG) [default=6]
-l <[dst][:id]>
Log destination (0=none, 1=syslog, 2=stdout, 3=both) and log/pidfile identifier.
[default=1]
This option allows to select opportune log destination and process identifier. The
identifier helps to distinguish pidfile and logs of one fprobe-ulog process from
other.
Note that if log destination contains `stdout' (equal 2 or 3) fprobe-ulog will run
in foreground.
remote:port/local/type
Parameters remote and port are respectively define address and port of the NetFlow
collector.
The local parameter allows binding certain local IP address with specified
collector. If the parameter is omitted the value (if any) of -a option will be
used.
The type parameter determines emitting behavior. It may be `m' for mirroring (by
default) and `r' for collectors round-robin rotating.
You may specify multiple collectors.
EXAMPLES
fprobe-ulog -Xeth:100,ppp:200 localhost:2055
Reasonable configuration to run under heavy load:
fprobe-ulog -B4096 -r2 -q10000 -t10000:10000000 localhost:2055
Send packets to collector at 10.1.1.1:2055 and distribute them between collectors at
10.1.1.2:2055 and at 10.1.1.3:2055 on a round-robin basis:
fprobe-ulog 10.1.1.1:2055 10.1.1.2:2055//r 10.1.1.3:2055//r
BUGS
Slow interfaces and slow collectors.
There are may be problems with slow interfaces and slow collectors. It effects as emitted
packets loss. On the one hand silent non-blocking sendto() implementation can't guarantee
that packet was really sent to collector - it may be dropped by kernel due to outgoing
buffer shortage (slow interface's problem) and on the other hand packet may be dropped on
collector's machine due the similar reason - incoming buffer shortage (slow collector's
problem).
Use -t option as workaround for this issue.
Locally originated packets and their timestamps.
Locally originated packets does not contains valid timestamps. Therefore fprobe-ulog fill
timestamp by itself on act of receive such packet. Unfortunately, between capturing packet
by netfilter code and receiving it by fprobe-ulog may occur certain lags, thus timestamps
of locally originated packets generally inexact.
It is possible to fix this problem entirely by trivial kernel patch (see
contrib/ipt_ULOG.patch).
SEE ALSO
iptables(8)
http://freshmeat.net/projects/ulogd
http://www.cisco.com/go/netflow