--- /dev/null
+.TH fprobe-ulog 8 "2005-01-29" "fprobe-ulog 1.1"
+
+.SH NAME
+fprobe-ulog \- a NetFlow probe
+
+.SH SYNOPSIS
+.BI fprobe-ulog
+[\fIoptions\fR] \fIremote:port[/[local][/type]] ...\fR
+
+.SH DESCRIPTION
+.B fprobe-ulog
+\- libipulog-based tool that collect network traffic data and emit it as
+NetFlow flows towards the specified collector.
+
+.SH OPTIONS
+.TP
+.B -h
+Display short help
+.TP
+.B -U \fI<mask>\fR
+ULOG group bitwise mask. [default=1]
+.TP
+.B -s \fI<seconds>\fR
+How often scan for expired flows. [default=5]
+.TP
+.B -g \fI<seconds>\fR
+Fragmented flow lifetime. [default=30]
+.TP
+.B -d \fI<seconds>\fR
+Idle flow lifetime (inactive timer). [default=60]
+.TP
+.B -e \fI<seconds>\fR
+Active flow lifetime (active timer). [default=300]
+.TP
+.B -n \fI<version>\fR
+NetFlow version for use (1, 5, 7). [default=5]
+.TP
+.B -a \fI<address>\fR
+Use \fIaddress\fR as source for NetFlow flow.
+.TP
+.B -X \fI<rule[,...]>\fR
+Comma separated list of interface name to SNMP-index conversion rules.
+Each \fIrule\fR consists of \fIinterface base name\fR and \fISNMP-index
+base\fR separated by colon (e.g. ppp:200). Final SNMP-index is sum of
+corresponding \fISNMP-index base\fR and \fIinterface number\fR.
+.br
+In the above example SNMP-index of interface ppp11 is 211.
+.br
+
+If interface name did not fit to any of conversion rules then SNMP-index
+will be taken from kernel.
+.TP
+.B -M
+Use the netfilter mark as Type Of Service value.
+.TP
+.B -b \fI<flows>\fR
+Memory bulk size. [default=200 or 10000]
+.br
+Note that maximum and default values depends on compiling options
+(\fI--with-membulk\fR parameter).
+.TP
+.B -m \fI<kilobytes>\fR
+Memory limit for flows cache (0=no limit). [default=0]
+.TP
+.B -q \fI<flows>\fR
+Pending queue length. [default=100]
+.br
+Each captured packet at first puts into special buffer called `pending
+queue'. Purpose of this buffer is to separate most time-critical packet
+capture thread from other.
+.TP
+.B -B \fI<kilobytes>\fR
+Kernel capture buffer size (0=don't change). [default=0]
+.br
+Increase kernel capture buffer size is most adequate way to prevent
+packets loss.
+.br
+Note that maximum allowed size of the buffer in Linux limited and
+generally relatively small, so it should need to change the maximum:
+sysctl -w net/core/rmem_max=4194304
+.TP
+.B -r \fI<priority>\fR
+Real-time priority (0=disabled). [default=0]
+.br
+If parameter greater then zero \fBfprobe-ulog\fR will use real-time scheduling
+policy to prevent packets loss. Note that possible values for this
+option depends on operating system.
+.TP
+.B -t \fI<B:N>\fR
+Emitting rate limit (0:0=no limit). [default=0:0]
+.br
+Produce \fIN\fR nanosecond delay after each \fIB\fR bytes sent. This
+option may be useful with slow interfaces and slow collectors. Note that
+the suspension time may be longer than requested because the argument
+value is rounded up to an integer multiple of the sleep resolution (it
+depends on operating system and hardware) or because of the scheduling
+of other activity by the system.
+.br
+See BUGS section.
+.TP
+.B -c \fI<directory>\fR
+Directory to chroot to.
+.TP
+.B -u \fI<user>\fR
+User to run as.
+.TP
+.B -v \fI<level>\fR
+Maximum displayed log level. (0=EMERG, 1=ALERT, 2=CRIT, 3=ERR, 4=WARNING,
+5=NOTICE, 6=INFO, 7=DEBUG) [default=6]
+.TP
+.B -l \fI<[dst][:id]>\fR
+Log destination (0=none, 1=syslog, 2=stdout, 3=both) and log/pidfile
+identifier. [default=1]
+.br
+This option allows to select opportune log destination and process
+identifier. The identifier helps to distinguish pidfile and logs of one
+\fBfprobe-ulog\fR process from other.
+.br
+Note that if log destination contains `\fIstdout\fR' (equal 2 or 3)
+\fBfprobe-ulog\fR will run in foreground.
+.TP
+.B remote:port/local/type
+Parameters \fIremote\fR and \fIport\fR are respectively define address
+and port of the NetFlow collector.
+.br
+The \fIlocal\fR parameter allows binding certain local IP address with
+specified collector. If the parameter is omitted the value (if any) of
+\fI-a\fR option will be used.
+.br
+The \fItype\fR parameter determines emitting behavior. It may be `m' for
+mirroring (by default) and `r' for collectors round-robin rotating.
+.br
+You may specify multiple collectors.
+
+.SH EXAMPLES
+\fBfprobe-ulog -Xeth:100,ppp:200 localhost:2055\fR
+
+Reasonable configuration to run under heavy load:
+.br
+\fBfprobe-ulog -B4096 -r2 -q10000 -t10000:10000000 localhost:2055\fR
+
+Send packets to collector at 10.1.1.1:2055 and distribute them between
+collectors at 10.1.1.2:2055 and at 10.1.1.3:2055 on a round-robin basis:
+.br
+\fBfprobe-ulog 10.1.1.1:2055 10.1.1.2:2055//r 10.1.1.3:2055//r\fR
+
+.SH BUGS
+.B Slow interfaces and slow collectors.
+.br
+There are may be problems with slow interfaces and slow collectors. It
+effects as emitted packets loss. On the one hand silent non-blocking
+sendto() implementation can't guarantee that packet was really sent to
+collector - it may be dropped by kernel due to outgoing buffer shortage
+(slow interface's problem) and on the other hand packet may be dropped
+on collector's machine due the similar reason - incoming buffer shortage
+(slow collector's problem).
+.br
+Use \fI-t\fR option as workaround for this issue.
+
+.B Locally originated packets and their timestamps.
+.br
+Locally originated packets does not contains valid timestamps. Therefore
+\fBfprobe-ulog\fR fill timestamp by itself on act of receive such
+packet. Unfortunately, between capturing packet by netfilter code and
+receiving it by \fBfprobe-ulog\fR may occur certain lags, thus
+timestamps of locally originated packets generally inexact.
+.br
+It is possible to fix this problem entirely by trivial kernel patch (see
+contrib/ipt_ULOG.patch).
+
+.SH SEE ALSO
+.BR iptables(8)
+.br
+.BR http://freshmeat.net/projects/ulogd
+.br
+.BR http://www.cisco.com/go/netflow
git://git.onelab.eu / iptables.git / blobdiff