X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=trunk%2Fsrc%2Ffprobe-ulog.8;fp=trunk%2Fsrc%2Ffprobe-ulog.8;h=0000000000000000000000000000000000000000;hb=4a2a65ece88edbfdfda338e263370f292e311228;hp=8d8aa8d74ad100ebf28df33041c6f979d376ee34;hpb=85718e4dcaf5f34496f629e45a47ec91145c6f9e;p=iptables.git diff --git a/trunk/src/fprobe-ulog.8 b/trunk/src/fprobe-ulog.8 deleted file mode 100644 index 8d8aa8d..0000000 --- a/trunk/src/fprobe-ulog.8 +++ /dev/null @@ -1,176 +0,0 @@ -.TH fprobe-ulog 8 "2005-01-29" "fprobe-ulog 1.1" - -.SH NAME -fprobe-ulog \- a NetFlow probe - -.SH SYNOPSIS -.BI fprobe-ulog -[\fIoptions\fR] \fIremote:port[/[local][/type]] ...\fR - -.SH DESCRIPTION -.B fprobe-ulog -\- libipulog-based tool that collect network traffic data and emit it as -NetFlow flows towards the specified collector. - -.SH OPTIONS -.TP -.B -h -Display short help -.TP -.B -U \fI\fR -ULOG group bitwise mask. [default=1] -.TP -.B -s \fI\fR -How often scan for expired flows. [default=5] -.TP -.B -g \fI\fR -Fragmented flow lifetime. [default=30] -.TP -.B -d \fI\fR -Idle flow lifetime (inactive timer). [default=60] -.TP -.B -e \fI\fR -Active flow lifetime (active timer). [default=300] -.TP -.B -n \fI\fR -NetFlow version for use (1, 5, 7). [default=5] -.TP -.B -a \fI
\fR -Use \fIaddress\fR as source for NetFlow flow. -.TP -.B -X \fI\fR -Comma separated list of interface name to SNMP-index conversion rules. -Each \fIrule\fR consists of \fIinterface base name\fR and \fISNMP-index -base\fR separated by colon (e.g. ppp:200). Final SNMP-index is sum of -corresponding \fISNMP-index base\fR and \fIinterface number\fR. -.br -In the above example SNMP-index of interface ppp11 is 211. -.br - -If interface name did not fit to any of conversion rules then SNMP-index -will be taken from kernel. -.TP -.B -M -Use the netfilter mark as Type Of Service value. -.TP -.B -b \fI\fR -Memory bulk size. [default=200 or 10000] -.br -Note that maximum and default values depends on compiling options -(\fI--with-membulk\fR parameter). -.TP -.B -m \fI\fR -Memory limit for flows cache (0=no limit). [default=0] -.TP -.B -q \fI\fR -Pending queue length. [default=100] -.br -Each captured packet at first puts into special buffer called `pending -queue'. Purpose of this buffer is to separate most time-critical packet -capture thread from other. -.TP -.B -B \fI\fR -Kernel capture buffer size (0=don't change). [default=0] -.br -Increase kernel capture buffer size is most adequate way to prevent -packets loss. -.br -Note that maximum allowed size of the buffer in Linux limited and -generally relatively small, so it should need to change the maximum: -sysctl -w net/core/rmem_max=4194304 -.TP -.B -r \fI\fR -Real-time priority (0=disabled). [default=0] -.br -If parameter greater then zero \fBfprobe-ulog\fR will use real-time scheduling -policy to prevent packets loss. Note that possible values for this -option depends on operating system. -.TP -.B -t \fI\fR -Emitting rate limit (0:0=no limit). [default=0:0] -.br -Produce \fIN\fR nanosecond delay after each \fIB\fR bytes sent. This -option may be useful with slow interfaces and slow collectors. Note that -the suspension time may be longer than requested because the argument -value is rounded up to an integer multiple of the sleep resolution (it -depends on operating system and hardware) or because of the scheduling -of other activity by the system. -.br -See BUGS section. -.TP -.B -c \fI\fR -Directory to chroot to. -.TP -.B -u \fI\fR -User to run as. -.TP -.B -v \fI\fR -Maximum displayed log level. (0=EMERG, 1=ALERT, 2=CRIT, 3=ERR, 4=WARNING, -5=NOTICE, 6=INFO, 7=DEBUG) [default=6] -.TP -.B -l \fI<[dst][:id]>\fR -Log destination (0=none, 1=syslog, 2=stdout, 3=both) and log/pidfile -identifier. [default=1] -.br -This option allows to select opportune log destination and process -identifier. The identifier helps to distinguish pidfile and logs of one -\fBfprobe-ulog\fR process from other. -.br -Note that if log destination contains `\fIstdout\fR' (equal 2 or 3) -\fBfprobe-ulog\fR will run in foreground. -.TP -.B remote:port/local/type -Parameters \fIremote\fR and \fIport\fR are respectively define address -and port of the NetFlow collector. -.br -The \fIlocal\fR parameter allows binding certain local IP address with -specified collector. If the parameter is omitted the value (if any) of -\fI-a\fR option will be used. -.br -The \fItype\fR parameter determines emitting behavior. It may be `m' for -mirroring (by default) and `r' for collectors round-robin rotating. -.br -You may specify multiple collectors. - -.SH EXAMPLES -\fBfprobe-ulog -Xeth:100,ppp:200 localhost:2055\fR - -Reasonable configuration to run under heavy load: -.br -\fBfprobe-ulog -B4096 -r2 -q10000 -t10000:10000000 localhost:2055\fR - -Send packets to collector at 10.1.1.1:2055 and distribute them between -collectors at 10.1.1.2:2055 and at 10.1.1.3:2055 on a round-robin basis: -.br -\fBfprobe-ulog 10.1.1.1:2055 10.1.1.2:2055//r 10.1.1.3:2055//r\fR - -.SH BUGS -.B Slow interfaces and slow collectors. -.br -There are may be problems with slow interfaces and slow collectors. It -effects as emitted packets loss. On the one hand silent non-blocking -sendto() implementation can't guarantee that packet was really sent to -collector - it may be dropped by kernel due to outgoing buffer shortage -(slow interface's problem) and on the other hand packet may be dropped -on collector's machine due the similar reason - incoming buffer shortage -(slow collector's problem). -.br -Use \fI-t\fR option as workaround for this issue. - -.B Locally originated packets and their timestamps. -.br -Locally originated packets does not contains valid timestamps. Therefore -\fBfprobe-ulog\fR fill timestamp by itself on act of receive such -packet. Unfortunately, between capturing packet by netfilter code and -receiving it by \fBfprobe-ulog\fR may occur certain lags, thus -timestamps of locally originated packets generally inexact. -.br -It is possible to fix this problem entirely by trivial kernel patch (see -contrib/ipt_ULOG.patch). - -.SH SEE ALSO -.BR iptables(8) -.br -.BR http://freshmeat.net/projects/ulogd -.br -.BR http://www.cisco.com/go/netflow