.TH fprobe 1 "2003-10-30" "fprobe 1.0.2".SH NAMEfprobe \- a NetFlow probe.SH SYNOPSIS.BI fprobe[\fIoptions\fR] \fIhost:port\fR.SH DESCRIPTION.B fprobe\- libpcap-based tool that collect network traffic data and emit it asNetFlow flows towards the specified collector..SH OPTIONS.TP.B -hDisplay short help.TP.B -p\fIDon't\fR put the interface into promiscuous mode.  Note that even ifthis option is used, the interface might be in promiscuous mode for someother reason..TP.B -i \fI<interface>\fRListen on \fIinterface\fR. If unspecified, \fBfprobe\fR will use resultof pcap_lookupdev() function. On Linux systems with 2.2 or laterkernels, an \fIinterface\fR argument of `\fIany\fR' can be used tocapture packets from all interfaces.  Note that captures on the`\fIany\fR' device will not be done in promiscuous mode..TP.B -f \fI<expression>\fRFilter \fIexpression\fR selects which packets will be captured. If no\fIexpression\fR is given, all packets on the net will be captured.Otherwise, only packets for which \fIexpression\fR is `true' will becaptured..br\fBfprobe\fR use silly IP-packet detection method, so it is bad ideato leave the filter empty. For general use `ip' (-fip) is good filterexpression..brRead.BR tcpdump (1)for detailed \fIexpression\fR syntax..TP.B -s \fI<seconds>\fRHow often scan for expired flows. [default=5].TP.B -g \fI<seconds>\fRFragmented flow lifetime. [default=30].TP.B -d \fI<seconds>\fRIdle flow lifetime (inactive timer). [default=60].TP.B -e \fI<seconds>\fRActive flow lifetime (active timer). [default=300].TP.B -n \fI<version>\fRNetFlow version for use (1, 5, 7). [default=5].TP.B -a \fI<address>\fRUse \fIaddress\fR as source for NetFlow flow..TP.B -x \fI<inputID>[:<outputID>]\fRWorkaround for SNMP interfaces indexes. [default=0].brThe second parameter may be omitted - in this case its value will beequal to the first..brSee BUGS section..TP.B -b \fI<flows>\fRMemory bulk size. [default=200 or 10000].brNote that maximum and default values depends on compiling options(\fI--with-membulk\fR parameter)..TP.B -m \fI<kilobytes>\fRMemory limit (0=no limit). [default=0].TP.B -q \fI<flows>\fRPending queue length. [default=100].brEach captured packet at first puts into special buffer called `pendingqueue'. Purpose of this buffer is to separate most time-critical packetcapture thread from other..TP.B -r \fI<priority>\fRReal-time priority (0=disabled). [default=0].brIf parameter greater then zero \fBfprobe\fR will use real-time schedulingpolicy to prevent packets loss. Note that possible values for thisoption depends on operating system..TP.B -t \fI<B:N>\fREmitting rate limit (0:0=no limit). [default=0:0].brProduce \fIN\fR nanosecond delay after each \fIB\fR bytes sent. Thisoption may be useful with slow interfaces and slow collectors. Note thatthe suspension time may be longer than requested because the argumentvalue is rounded up to an integer multiple of the sleep resolution (itdepends on operating system and hardware) or because of the schedulingof other activity by the system..brSee BUGS section..TP.B -K \fI<bytes>\fRLink layer header size. By default \fBfprobe\fR take this informationfrom libpcap, but sometimes obtained size unsuitable for our purpose. Itoccurs, for example, on trunk interfaces in VLAN enviroment, where linklayer header contain additional VLAN header..TP.B -kDon't exclude link layer header from packet size. By default\fBfprobe\fR counts only IP-part of packet..TP.B -v \fI<level>\fRMaximum log level. (0=EMERG, 1=ALERT, 2=CRIT, 3=ERR, 4=WARNING,5=NOTICE, 6=INFO, 7=DEBUG) [default=6].TP.B -l \fI<dest>\fRLog destination. (0=none, 1=syslog, 2=stdout, 3=both) [default=1].brNote that if log destination contains `\fIstdout\fR' (equal 2 or 3)\fBfprobe\fR will run in foreground..TP.B host:portAddress of the NetFlow collector,.SH EXAMPLESWeb traffic trivial capturing:.brfprobe -ippp0 -f"tcp&&port 80" localhost:2055.brCapturing from trunk interface:.brfprobe -ieth0 -f"vlan&&ip" -K18 localhost:2055.brReasonable configuration to run under heavy load:.brfprobe -fip -r2 -q10000 -t10000:10000000 localhost:2055.SH BUGS.B SNMP interfaces indexes and packet direction..brUnfortunately libpcap don't provide any routing-related informationabout captured packet, therefore there are no straight ways to determineand distinguish input and output interfaces. However \fI-x\fR option atleast can tell that flow was passed through the certain interface. Alsoyou may launch several instances of the program with tricky set offilters to mark out each possible packet direction:.brfprobe -x1:2 -ieth1 -f"ip&&dst net 10.2" localhost:2055.brfprobe -x2:1 -ieth2 -f"ip&&dst net 10.1" localhost:2055.B Slow interfaces and slow collectors..brThere are may be problems with slow interfaces and slow collectors. Iteffects as emitted packets loss. On the one hand silent non-blockingsendto() implementation can't guarantee that packet was really sent tocollector - it may be dropped by kernel due to outgoing buffer shortage(slow interface's problem) and on the other hand packet may be droppedon collector's machine due the similar reason - incoming buffer shortage(slow collector's problem). Use \fI-t\fR option as workaround for thisissue..SH SEE ALSO.BR tcpdump (1).BR pcap (3).br.BR http://www.cisco.com/go/netflow