X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=README;fp=README;h=0c7542dc5ecb814a1b7cbd2e1764e285638e03fa;hb=85718e4dcaf5f34496f629e45a47ec91145c6f9e;hp=0000000000000000000000000000000000000000;hpb=abb2bffe08424d2d7e612f423815aeb7c79b42de;p=iptables.git diff --git a/README b/README new file mode 100644 index 0000000..0c7542d --- /dev/null +++ b/README @@ -0,0 +1,96 @@ +First of all sorry for my clumsy English. + +General information: +==================== + +fprobe-ulog: a NetFlow probe - libipulog-based tool that collect network +traffic data and emit it as NetFlow flows towards the specified +collector. + +URL: http://fprobe.sourceforge.net + +Compiling and installing: +========================= + +Read INSTALL file for basic installation instructions. Below I'll try to +describe advanced compilation options. + +--with-membulk=MODE indexing mode: index8|index16|ptr [default=ptr] +This option concerns to memory management and defines indexing mode and +maximum memory bulk size. I only shall tell, that the `index8' is most +frugal mode, `ptr' - fastest and `index16' somewhere in the middle. + +--with-hash=TYPE hash type: xor8|xor16|crc16 [default=xor16] +fprobe-ulog use hashing to speedup flows cache searching. This option +specifies the hash type. `xor8' is very frugal with memory - it uses +only 1KB (on 32-bit systems) for hash structure while `xor16' and +`crc16' - 256KB. But, on the other hand, bigger hash gives better +performance. +Hash functions xor8 and xor16 faster then crc16, but they are vulnerable +to a DoS attack, as described in "Denial of Service via Algorithmic +Complexity Attacks" by Scott A Crosby and Dan S Wallach: +http://www.cs.rice.edu/~scrosby/hash + +--enable-uptime_trick enable uptime trick [default=yes] +Maybe later... + +--enable-icmp_trick enable icmp trick: yes|cisco|no [default=yes] +If this option set to "yes" fprobe-ulog will store ICMP type and code in +srcport and dstport NetFlow fields. +If this option set to "cisco" only dstport field will used (ICMP type is +the higher eight bits and ICMP code is the lower eight bits). This +storing method used in some Cisco NetFlow implementations. + +--enable-debug enable debugging [default=no] +You may select different events for debugging: (C)apture, (U)npending, +(S)can, (E)mit, (M)emory, (F)ill and (I)nfo. Most interesting (for end +user) from above is Info debugging - you may get general statistic about +captured packets, emitted flows, allocated memory, using kill -s USR1. +Don't forget to run fprobe-ulog with `-v7' otherwise you'll not see +debugging output. +Example: +--enable-debug (enable all events debugging) +--enable-debug=I,C,U,E (enable Info, Capture, Unpending and Emit debugging) + +Brief explanation of Info debug messages: +I: received:[total packets]/[fragmented] ([total size]) + pending:[now in queue]/[maximum] +I: ignored:[non-IP] lost:[pending queue full]+[no memory for caching] +I: cache:[flows]/[fragmented] emit:[sent datagrams]/[sent flows]/[flows + in emit queue] +I: memory:[allocated flows]/[free] ([allocated memory in bytes]) + +--enable-messages enable runtime messages [default=no] +This option enables non-fatal runtime errors reporting. Be carefull - it +may flood your syslog. + +--with-piddir=DIR pidfiles location [default=/var/run] +Directory to store pidfiles. + +Useful links: +============= + +nProbe - NetFlow probe by Luca Deri: +http://www.ntop.org/nProbe.html + +fprobe (namesake of mine project) - NetFlow probe by Bogdan Surdu: +http://psi.home.ro/flow + +Softflowd - traffic analyzer capable of Cisco NetFlow data export: +http://www.mindrot.org/softflowd.html + +Cisco's NetFlow links: +http://www.cisco.com/go/netflow + +Excellent links collection about Network Monitoring and Analysis: +http://www.switch.ch/tf-tant/floma + +Contacts: +========= + +Feel free to send any questions, comments, bug reports etc. +Contributions are welcome, including cosmetic fixes and pointing out +usability problems. + +Sincerely yours, +Slava Astashonok