Provided by: fprobe-ulog_1.1-7.3_amd64 bug


       fprobe-ulog - a NetFlow probe


       fprobe-ulog [options] remote:port[/[local][/type]] ...


       fprobe-ulog  -  libipulog-based  tool  that  collect  network  traffic data and emit it as
       NetFlow flows towards the specified collector.


       -h     Display short help

       -U <mask>
              ULOG group bitwise mask. [default=1]

       -s <seconds>
              How often scan for expired flows. [default=5]

       -g <seconds>
              Fragmented flow lifetime. [default=30]

       -d <seconds>
              Idle flow lifetime (inactive timer). [default=60]

       -e <seconds>
              Active flow lifetime (active timer). [default=300]

       -n <version>
              NetFlow version for use (1, 5, 7). [default=5]

       -a <address>
              Use address as source for NetFlow flow.

       -X <rule[,...]>
              Comma separated list of interface name to SNMP-index conversion rules.   Each  rule
              consists  of  interface  base  name  and  SNMP-index  base separated by colon (e.g.
              ppp:200). Final SNMP-index is sum of corresponding SNMP-index  base  and  interface
              In the above example SNMP-index of interface ppp11 is 211.

              If  interface  name  did not fit to any of conversion rules then SNMP-index will be
              taken from kernel.

       -M     Use the netfilter mark as Type Of Service value.

       -b <flows>
              Memory bulk size. [default=200 or 10000]
              Note that maximum and default values depends on compiling  options  (--with-membulk

       -m <kilobytes>
              Memory limit for flows cache (0=no limit). [default=0]

       -q <flows>
              Pending queue length. [default=100]
              Each  captured  packet  at  first  puts into special buffer called `pending queue'.
              Purpose of this buffer is to separate most time-critical packet capture thread from

       -B <kilobytes>
              Kernel capture buffer size (0=don't change). [default=0]
              Increase kernel capture buffer size is most adequate way to prevent packets loss.
              Note  that  maximum  allowed  size  of  the  buffer  in Linux limited and generally
              relatively  small,  so  it  should  need  to  change   the   maximum:   sysctl   -w

       -r <priority>
              Real-time priority (0=disabled). [default=0]
              If  parameter greater then zero fprobe-ulog will use real-time scheduling policy to
              prevent packets loss.  Note  that  possible  values  for  this  option  depends  on
              operating system.

       -t <B:N>
              Emitting rate limit (0:0=no limit). [default=0:0]
              Produce  N nanosecond delay after each B bytes sent. This option may be useful with
              slow interfaces and slow collectors. Note that the suspension time  may  be  longer
              than  requested  because the argument value is rounded up to an integer multiple of
              the sleep resolution (it depends on operating system and hardware)  or  because  of
              the scheduling of other activity by the system.
              See BUGS section.

       -c <directory>
              Directory to chroot to.

       -u <user>
              User to run as.

       -v <level>
              Maximum displayed log level. (0=EMERG, 1=ALERT, 2=CRIT, 3=ERR, 4=WARNING, 5=NOTICE,
              6=INFO, 7=DEBUG) [default=6]

       -l <[dst][:id]>
              Log destination (0=none, 1=syslog, 2=stdout, 3=both)  and  log/pidfile  identifier.
              This  option allows to select opportune log destination and process identifier. The
              identifier helps to distinguish pidfile and logs of one  fprobe-ulog  process  from
              Note  that if log destination contains `stdout' (equal 2 or 3) fprobe-ulog will run
              in foreground.

              Parameters remote and port are respectively define address and port of the  NetFlow
              The  local  parameter  allows  binding  certain  local  IP  address  with specified
              collector. If the parameter is omitted the value (if any)  of  -a  option  will  be
              The  type  parameter  determines emitting behavior. It may be `m' for mirroring (by
              default) and `r' for collectors round-robin rotating.
              You may specify multiple collectors.


       fprobe-ulog -Xeth:100,ppp:200 localhost:2055

       Reasonable configuration to run under heavy load:
       fprobe-ulog -B4096 -r2 -q10000 -t10000:10000000 localhost:2055

       Send packets to collector at  and  distribute  them  between  collectors  at and at on a round-robin basis:


       Slow interfaces and slow collectors.
       There  are may be problems with slow interfaces and slow collectors. It effects as emitted
       packets loss. On the one hand silent non-blocking sendto() implementation can't  guarantee
       that  packet  was  really  sent to collector - it may be dropped by kernel due to outgoing
       buffer shortage (slow interface's problem) and on the other hand packet may be dropped  on
       collector's  machine  due  the similar reason - incoming buffer shortage (slow collector's
       Use -t option as workaround for this issue.

       Locally originated packets and their timestamps.
       Locally originated packets does not contains valid timestamps. Therefore fprobe-ulog  fill
       timestamp by itself on act of receive such packet. Unfortunately, between capturing packet
       by netfilter code and receiving it by fprobe-ulog may occur certain lags, thus  timestamps
       of locally originated packets generally inexact.
       It   is   possible   to   fix   this   problem  entirely  by  trivial  kernel  patch  (see