Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
fprobe(8)		    System Manager's Manual		     fprobe(8)

NAME
       fprobe -	a NetFlow probe

SYNOPSIS
       fprobe [options]	remote:port[/[local][/type]] ...

DESCRIPTION
       fprobe  - libpcap-based tool that collect network traffic data and emit
       it as NetFlow flows towards the specified collector.

OPTIONS
       -h     Display short help

       -p     Don't put	the interface into promiscuous mode.  Note  that  even
	      if  this	option	is used, the interface might be	in promiscuous
	      mode for some other reason.

       -i <interface>
	      Listen on	interface. If unspecified, fprobe will use  result  of
	      pcap_lookupdev()	function.  On  Linux systems with 2.2 or later
	      kernels, an interface argument of	`any' can be used  to  capture
	      packets from all interfaces. Note	that captures on the `any' de-
	      vice will	not be done in promiscuous mode.
	      You  may	use `-'	as interface name to process files produced by
	      tcpdump with -w flag. fprobe will	read data from stdin.

       -f <expression>
	      Filter expression	selects	which packets will be captured.	If  no
	      expression  is  given,  all packets on the net will be captured.
	      Otherwise, only packets for which	expression is `true'  will  be
	      captured.
	      fprobe  use  silly IP-packet detection method, so	it is bad idea
	      to leave the filter empty. For general use `ip' (-fip)  is  good
	      filter expression.
	      Read tcpdump manual for detailed expression syntax.

       -s <seconds>
	      How often	scan for expired flows.	[default=5]

       -g <seconds>
	      Fragmented flow lifetime.	[default=30]

       -d <seconds>
	      Idle flow	lifetime (inactive timer). [default=60]

       -e <seconds>
	      Active flow lifetime (active timer). [default=300]

       -n <version>
	      NetFlow version for use (1, 5, 7). [default=5]

       -a <address>
	      Use address as source for	NetFlow	flow.

       -x <inputID>[:<outputID>]
	      Workaround for SNMP interfaces indexes. [default=0]
	      The  second  parameter  may  be omitted -	in this	case its value
	      will be equal to the first.
	      See BUGS section.

       -b <flows>
	      Memory bulk size.	[default=200 or	10000]
	      Note that	maximum	and default values depends  on	compiling  op-
	      tions (--with-membulk parameter).

       -m <kilobytes>
	      Memory limit for flows cache (0=no limit). [default=0]

       -q <flows>
	      Pending queue length. [default=100]
	      Each  captured  packet  at first puts into special buffer	called
	      `pending queue'. Purpose of this	buffer	is  to	separate  most
	      time-critical packet capture thread from other.

       -B <kilobytes>
	      Kernel capture buffer size (0=don't change). [default=0]
	      Increase kernel capture buffer size is most adequate way to pre-
	      vent  packets  loss.  Unfortunately,  at	present	 there	is  no
	      straight way to set the buffer size throught  libpcap,  so  this
	      option  is  a  hack. Moreover, now this hack take	effect only on
	      socket()-based capture mechanisms: it mean that it work on Linux
	      and don't	work on	BSD systems with their bpf().
	      Note that	maximum	allowed	size of	the buffer  in	Linux  limited
	      and  generally relatively	small, so it should need to change the
	      maximum: sysctl -w net/core/rmem_max=4194304

       -r <priority>
	      Real-time	priority (0=disabled). [default=0]
	      If parameter greater then	zero fprobe will use real-time	sched-
	      uling  policy to prevent packets loss. Note that possible	values
	      for this option depends on operating system.

       -t <B:N>
	      Emitting rate limit (0:0=no limit). [default=0:0]
	      Produce N	nanosecond delay after each B bytes sent. This	option
	      may  be  useful  with  slow interfaces and slow collectors. Note
	      that the suspension time may be longer  than  requested  because
	      the  argument  value is rounded up to an integer multiple	of the
	      sleep resolution (it depends on operating	system	and  hardware)
	      or because of the	scheduling of other activity by	the system.
	      See BUGS section.

       -S <bytes>
	      Snaplen (0=whole packet).	[default=256]
	      Number of	bytes to capture from packet on	wire.

       -K <bytes>
	      Link  layer header size. By default fprobe take this information
	      from libpcap, but	sometimes obtained  size  unsuitable  for  our
	      purpose. It occurs, for example, on trunk	interfaces in VLAN en-
	      viroment,	 where	link  layer  header  contain  additional  VLAN
	      header.
	      See EXAMPLES section.

       -k     Don't exclude link layer header from  packet  size.  By  default
	      fprobe counts only IP-part of packet.

       -c <directory>
	      Directory	to chroot to.

       -u <user>
	      User to run as.

       -v <level>
	      Maximum  displayed  log level. (0=EMERG, 1=ALERT,	2=CRIT,	3=ERR,
	      4=WARNING, 5=NOTICE, 6=INFO, 7=DEBUG) [default=6]

       -l <[dst][:id]>
	      Log  destination	(0=none,  1=syslog,  2=stdout,	 3=both)   and
	      log/pidfile identifier. [default=1]
	      This  option  allows  to	select	opportune  log destination and
	      process identifier. The identifier helps to distinguish  pidfile
	      and logs of one fprobe process from other.
	      Note  that  if  log destination contains `stdout'	(equal 2 or 3)
	      fprobe will run in foreground.

       remote:port/local/type
	      Parameters remote	and port are respectively define  address  and
	      port of the NetFlow collector.
	      The local	parameter allows binding certain local IP address with
	      specified	 collector.  If	the parameter is omitted the value (if
	      any) of -a option	will be	used.
	      The type parameter determines emitting behavior. It may  be  `m'
	      for  mirroring  (by  default) and	`r' for	collectors round-robin
	      rotating.
	      You may specify multiple collectors.

EXAMPLES
       Web traffic trivial capturing:
       fprobe -ippp0 -f"tcp&&port 80" localhost:2055

       Capturing from trunk interface:
       fprobe -ieth0 -f"vlan&&ip" -K18 localhost:2055

       Reasonable configuration	to run under heavy load:
       fprobe -fip -B4096 -r2 -q10000 -t10000:10000000 localhost:2055

       Send packets to collector at 10.1.1.1:2055 and distribute them  between
       collectors  at  10.1.1.2:2055 and at 10.1.1.3:2055 on a round-robin ba-
       sis:
       fprobe 10.1.1.1:2055 10.1.1.2:2055//r 10.1.1.3:2055//r

BUGS
       SNMP interfaces indexes and packet direction.
       Unfortunately libpcap don't  provide  any  routing-related  information
       about  captured	packet,	therefore there	are no straight	ways to	deter-
       mine and	distinguish input and output interfaces. However -x option  at
       least can tell that flow	was passed through the certain interface. Also
       you may launch several instances	of the program with tricky set of fil-
       ters to mark out	each possible packet direction:
       fprobe -x1:2 -ieth1 -f"ip&&dst net 10.2"	localhost:2055
       fprobe -x2:1 -ieth2 -f"ip&&dst net 10.1"	localhost:2055

       Slow interfaces and slow	collectors.
       There  are may be problems with slow interfaces and slow	collectors. It
       effects as emitted packets loss.	On the one  hand  silent  non-blocking
       sendto()	 implementation	can't guarantee	that packet was	really sent to
       collector - it may be dropped by	kernel due to outgoing buffer shortage
       (slow interface's problem) and on the other hand	packet may be  dropped
       on  collector's machine due the similar reason -	incoming buffer	short-
       age (slow collector's problem).
       Use -t option as	workaround for this issue.

SEE ALSO
       tcpdump pcap(3)
       http://www.cisco.com/go/netflow

fprobe 1.1			  2005-01-29			     fprobe(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=fprobe&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help