X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=src%2Ffprobe-ulog.8;fp=src%2Ffprobe-ulog.8;h=8d8aa8d74ad100ebf28df33041c6f979d376ee34;hb=85718e4dcaf5f34496f629e45a47ec91145c6f9e;hp=0000000000000000000000000000000000000000;hpb=abb2bffe08424d2d7e612f423815aeb7c79b42de;p=iptables.git diff --git a/src/fprobe-ulog.8 b/src/fprobe-ulog.8 new file mode 100644 index 0000000..8d8aa8d --- /dev/null +++ b/src/fprobe-ulog.8 @@ -0,0 +1,176 @@ +.TH fprobe-ulog 8 "2005-01-29" "fprobe-ulog 1.1" + +.SH NAME +fprobe-ulog \- a NetFlow probe + +.SH SYNOPSIS +.BI fprobe-ulog +[\fIoptions\fR] \fIremote:port[/[local][/type]] ...\fR + +.SH DESCRIPTION +.B fprobe-ulog +\- libipulog-based tool that collect network traffic data and emit it as +NetFlow flows towards the specified collector. + +.SH OPTIONS +.TP +.B -h +Display short help +.TP +.B -U \fI\fR +ULOG group bitwise mask. [default=1] +.TP +.B -s \fI\fR +How often scan for expired flows. [default=5] +.TP +.B -g \fI\fR +Fragmented flow lifetime. [default=30] +.TP +.B -d \fI\fR +Idle flow lifetime (inactive timer). [default=60] +.TP +.B -e \fI\fR +Active flow lifetime (active timer). [default=300] +.TP +.B -n \fI\fR +NetFlow version for use (1, 5, 7). [default=5] +.TP +.B -a \fI
\fR +Use \fIaddress\fR as source for NetFlow flow. +.TP +.B -X \fI\fR +Comma separated list of interface name to SNMP-index conversion rules. +Each \fIrule\fR consists of \fIinterface base name\fR and \fISNMP-index +base\fR separated by colon (e.g. ppp:200). Final SNMP-index is sum of +corresponding \fISNMP-index base\fR and \fIinterface number\fR. +.br +In the above example SNMP-index of interface ppp11 is 211. +.br + +If interface name did not fit to any of conversion rules then SNMP-index +will be taken from kernel. +.TP +.B -M +Use the netfilter mark as Type Of Service value. +.TP +.B -b \fI\fR +Memory bulk size. [default=200 or 10000] +.br +Note that maximum and default values depends on compiling options +(\fI--with-membulk\fR parameter). +.TP +.B -m \fI\fR +Memory limit for flows cache (0=no limit). [default=0] +.TP +.B -q \fI\fR +Pending queue length. [default=100] +.br +Each captured packet at first puts into special buffer called `pending +queue'. Purpose of this buffer is to separate most time-critical packet +capture thread from other. +.TP +.B -B \fI\fR +Kernel capture buffer size (0=don't change). [default=0] +.br +Increase kernel capture buffer size is most adequate way to prevent +packets loss. +.br +Note that maximum allowed size of the buffer in Linux limited and +generally relatively small, so it should need to change the maximum: +sysctl -w net/core/rmem_max=4194304 +.TP +.B -r \fI\fR +Real-time priority (0=disabled). [default=0] +.br +If parameter greater then zero \fBfprobe-ulog\fR will use real-time scheduling +policy to prevent packets loss. Note that possible values for this +option depends on operating system. +.TP +.B -t \fI\fR +Emitting rate limit (0:0=no limit). [default=0:0] +.br +Produce \fIN\fR nanosecond delay after each \fIB\fR bytes sent. This +option may be useful with slow interfaces and slow collectors. Note that +the suspension time may be longer than requested because the argument +value is rounded up to an integer multiple of the sleep resolution (it +depends on operating system and hardware) or because of the scheduling +of other activity by the system. +.br +See BUGS section. +.TP +.B -c \fI\fR +Directory to chroot to. +.TP +.B -u \fI\fR +User to run as. +.TP +.B -v \fI\fR +Maximum displayed log level. (0=EMERG, 1=ALERT, 2=CRIT, 3=ERR, 4=WARNING, +5=NOTICE, 6=INFO, 7=DEBUG) [default=6] +.TP +.B -l \fI<[dst][:id]>\fR +Log destination (0=none, 1=syslog, 2=stdout, 3=both) and log/pidfile +identifier. [default=1] +.br +This option allows to select opportune log destination and process +identifier. The identifier helps to distinguish pidfile and logs of one +\fBfprobe-ulog\fR process from other. +.br +Note that if log destination contains `\fIstdout\fR' (equal 2 or 3) +\fBfprobe-ulog\fR will run in foreground. +.TP +.B remote:port/local/type +Parameters \fIremote\fR and \fIport\fR are respectively define address +and port of the NetFlow collector. +.br +The \fIlocal\fR parameter allows binding certain local IP address with +specified collector. If the parameter is omitted the value (if any) of +\fI-a\fR option will be used. +.br +The \fItype\fR parameter determines emitting behavior. It may be `m' for +mirroring (by default) and `r' for collectors round-robin rotating. +.br +You may specify multiple collectors. + +.SH EXAMPLES +\fBfprobe-ulog -Xeth:100,ppp:200 localhost:2055\fR + +Reasonable configuration to run under heavy load: +.br +\fBfprobe-ulog -B4096 -r2 -q10000 -t10000:10000000 localhost:2055\fR + +Send packets to collector at 10.1.1.1:2055 and distribute them between +collectors at 10.1.1.2:2055 and at 10.1.1.3:2055 on a round-robin basis: +.br +\fBfprobe-ulog 10.1.1.1:2055 10.1.1.2:2055//r 10.1.1.3:2055//r\fR + +.SH BUGS +.B Slow interfaces and slow collectors. +.br +There are may be problems with slow interfaces and slow collectors. It +effects as emitted packets loss. On the one hand silent non-blocking +sendto() implementation can't guarantee that packet was really sent to +collector - it may be dropped by kernel due to outgoing buffer shortage +(slow interface's problem) and on the other hand packet may be dropped +on collector's machine due the similar reason - incoming buffer shortage +(slow collector's problem). +.br +Use \fI-t\fR option as workaround for this issue. + +.B Locally originated packets and their timestamps. +.br +Locally originated packets does not contains valid timestamps. Therefore +\fBfprobe-ulog\fR fill timestamp by itself on act of receive such +packet. Unfortunately, between capturing packet by netfilter code and +receiving it by \fBfprobe-ulog\fR may occur certain lags, thus +timestamps of locally originated packets generally inexact. +.br +It is possible to fix this problem entirely by trivial kernel patch (see +contrib/ipt_ULOG.patch). + +.SH SEE ALSO +.BR iptables(8) +.br +.BR http://freshmeat.net/projects/ulogd +.br +.BR http://www.cisco.com/go/netflow