+++ /dev/null
-.TH fprobe-ulog 8 "2005-01-29" "fprobe-ulog 1.1"
-
-.SH NAME
-fprobe-ulog \- a NetFlow probe
-
-.SH SYNOPSIS
-.BI fprobe-ulog
-[\fIoptions\fR] \fIremote:port[/[local][/type]] ...\fR
-
-.SH DESCRIPTION
-.B fprobe-ulog
-\- libipulog-based tool that collect network traffic data and emit it as
-NetFlow flows towards the specified collector.
-
-.SH OPTIONS
-.TP
-.B -h
-Display short help
-.TP
-.B -U \fI<mask>\fR
-ULOG group bitwise mask. [default=1]
-.TP
-.B -s \fI<seconds>\fR
-How often scan for expired flows. [default=5]
-.TP
-.B -g \fI<seconds>\fR
-Fragmented flow lifetime. [default=30]
-.TP
-.B -d \fI<seconds>\fR
-Idle flow lifetime (inactive timer). [default=60]
-.TP
-.B -e \fI<seconds>\fR
-Active flow lifetime (active timer). [default=300]
-.TP
-.B -n \fI<version>\fR
-NetFlow version for use (1, 5, 7). [default=5]
-.TP
-.B -a \fI<address>\fR
-Use \fIaddress\fR as source for NetFlow flow.
-.TP
-.B -X \fI<rule[,...]>\fR
-Comma separated list of interface name to SNMP-index conversion rules.
-Each \fIrule\fR consists of \fIinterface base name\fR and \fISNMP-index
-base\fR separated by colon (e.g. ppp:200). Final SNMP-index is sum of
-corresponding \fISNMP-index base\fR and \fIinterface number\fR.
-.br
-In the above example SNMP-index of interface ppp11 is 211.
-.br
-
-If interface name did not fit to any of conversion rules then SNMP-index
-will be taken from kernel.
-.TP
-.B -M
-Use the netfilter mark as Type Of Service value.
-.TP
-.B -b \fI<flows>\fR
-Memory bulk size. [default=200 or 10000]
-.br
-Note that maximum and default values depends on compiling options
-(\fI--with-membulk\fR parameter).
-.TP
-.B -m \fI<kilobytes>\fR
-Memory limit for flows cache (0=no limit). [default=0]
-.TP
-.B -q \fI<flows>\fR
-Pending queue length. [default=100]
-.br
-Each captured packet at first puts into special buffer called `pending
-queue'. Purpose of this buffer is to separate most time-critical packet
-capture thread from other.
-.TP
-.B -B \fI<kilobytes>\fR
-Kernel capture buffer size (0=don't change). [default=0]
-.br
-Increase kernel capture buffer size is most adequate way to prevent
-packets loss.
-.br
-Note that maximum allowed size of the buffer in Linux limited and
-generally relatively small, so it should need to change the maximum:
-sysctl -w net/core/rmem_max=4194304
-.TP
-.B -r \fI<priority>\fR
-Real-time priority (0=disabled). [default=0]
-.br
-If parameter greater then zero \fBfprobe-ulog\fR will use real-time scheduling
-policy to prevent packets loss. Note that possible values for this
-option depends on operating system.
-.TP
-.B -t \fI<B:N>\fR
-Emitting rate limit (0:0=no limit). [default=0:0]
-.br
-Produce \fIN\fR nanosecond delay after each \fIB\fR bytes sent. This
-option may be useful with slow interfaces and slow collectors. Note that
-the suspension time may be longer than requested because the argument
-value is rounded up to an integer multiple of the sleep resolution (it
-depends on operating system and hardware) or because of the scheduling
-of other activity by the system.
-.br
-See BUGS section.
-.TP
-.B -c \fI<directory>\fR
-Directory to chroot to.
-.TP
-.B -u \fI<user>\fR
-User to run as.
-.TP
-.B -v \fI<level>\fR
-Maximum displayed log level. (0=EMERG, 1=ALERT, 2=CRIT, 3=ERR, 4=WARNING,
-5=NOTICE, 6=INFO, 7=DEBUG) [default=6]
-.TP
-.B -l \fI<[dst][:id]>\fR
-Log destination (0=none, 1=syslog, 2=stdout, 3=both) and log/pidfile
-identifier. [default=1]
-.br
-This option allows to select opportune log destination and process
-identifier. The identifier helps to distinguish pidfile and logs of one
-\fBfprobe-ulog\fR process from other.
-.br
-Note that if log destination contains `\fIstdout\fR' (equal 2 or 3)
-\fBfprobe-ulog\fR will run in foreground.
-.TP
-.B remote:port/local/type
-Parameters \fIremote\fR and \fIport\fR are respectively define address
-and port of the NetFlow collector.
-.br
-The \fIlocal\fR parameter allows binding certain local IP address with
-specified collector. If the parameter is omitted the value (if any) of
-\fI-a\fR option will be used.
-.br
-The \fItype\fR parameter determines emitting behavior. It may be `m' for
-mirroring (by default) and `r' for collectors round-robin rotating.
-.br
-You may specify multiple collectors.
-
-.SH EXAMPLES
-\fBfprobe-ulog -Xeth:100,ppp:200 localhost:2055\fR
-
-Reasonable configuration to run under heavy load:
-.br
-\fBfprobe-ulog -B4096 -r2 -q10000 -t10000:10000000 localhost:2055\fR
-
-Send packets to collector at 10.1.1.1:2055 and distribute them between
-collectors at 10.1.1.2:2055 and at 10.1.1.3:2055 on a round-robin basis:
-.br
-\fBfprobe-ulog 10.1.1.1:2055 10.1.1.2:2055//r 10.1.1.3:2055//r\fR
-
-.SH BUGS
-.B Slow interfaces and slow collectors.
-.br
-There are may be problems with slow interfaces and slow collectors. It
-effects as emitted packets loss. On the one hand silent non-blocking
-sendto() implementation can't guarantee that packet was really sent to
-collector - it may be dropped by kernel due to outgoing buffer shortage
-(slow interface's problem) and on the other hand packet may be dropped
-on collector's machine due the similar reason - incoming buffer shortage
-(slow collector's problem).
-.br
-Use \fI-t\fR option as workaround for this issue.
-
-.B Locally originated packets and their timestamps.
-.br
-Locally originated packets does not contains valid timestamps. Therefore
-\fBfprobe-ulog\fR fill timestamp by itself on act of receive such
-packet. Unfortunately, between capturing packet by netfilter code and
-receiving it by \fBfprobe-ulog\fR may occur certain lags, thus
-timestamps of locally originated packets generally inexact.
-.br
-It is possible to fix this problem entirely by trivial kernel patch (see
-contrib/ipt_ULOG.patch).
-
-.SH SEE ALSO
-.BR iptables(8)
-.br
-.BR http://freshmeat.net/projects/ulogd
-.br
-.BR http://www.cisco.com/go/netflow
git://git.onelab.eu / iptables.git / blobdiff