mlfever / planetlab-lxc-fprobe-ulog Goto Github PK

First of all sorry for my clumsy English.

General information:
====================

fprobe-ulog: a NetFlow probe - libipulog-based tool that collect network
traffic data and emit it as NetFlow flows towards the specified
collector.

URL: http://fprobe.sourceforge.net

Compiling and installing:
=========================

Read INSTALL file for basic installation instructions. Below I'll try to
describe advanced compilation options.

--with-membulk=MODE     indexing mode: index8|index16|ptr [default=ptr]
This option concerns to memory management and defines indexing mode and
maximum memory bulk size. I only shall tell, that the `index8' is most
frugal mode, `ptr' - fastest and `index16' somewhere in the middle.

--with-hash=TYPE        hash type: xor8|xor16|crc16 [default=xor16]
fprobe-ulog use hashing to speedup flows cache searching. This option
specifies the hash type. `xor8' is very frugal with memory - it uses
only 1KB (on 32-bit systems) for hash structure while `xor16' and
`crc16' - 256KB. But, on the other hand, bigger hash gives better
performance.
Hash functions xor8 and xor16 faster then crc16, but they are vulnerable
to a DoS attack, as described in "Denial of Service via Algorithmic
Complexity Attacks" by Scott A Crosby and Dan S Wallach:
http://www.cs.rice.edu/~scrosby/hash

--enable-uptime_trick   enable uptime trick [default=yes]
Maybe later...

--enable-icmp_trick     enable icmp trick: yes|cisco|no [default=yes]
If this option set to "yes" fprobe-ulog will store ICMP type and code in
srcport and dstport NetFlow fields.
If this option set to "cisco" only dstport field will used (ICMP type is
the higher eight bits and ICMP code is the lower eight bits). This
storing method used in some Cisco NetFlow implementations.

--enable-debug          enable debugging [default=no]
You may select different events for debugging: (C)apture, (U)npending,
(S)can, (E)mit, (M)emory, (F)ill and (I)nfo. Most interesting (for end
user) from above is Info debugging - you may get general statistic about
captured packets, emitted flows, allocated memory, using kill -s USR1.
Don't forget to run fprobe-ulog with `-v7' otherwise you'll not see
debugging output.
Example:
--enable-debug (enable all events debugging)
--enable-debug=I,C,U,E (enable Info, Capture, Unpending and Emit debugging)

Brief explanation of Info debug messages:
I: received:[total packets]/[fragmented] ([total size])
   pending:[now in queue]/[maximum]
I: ignored:[non-IP] lost:[pending queue full]+[no memory for caching]
I: cache:[flows]/[fragmented] emit:[sent datagrams]/[sent flows]/[flows
   in emit queue]
I: memory:[allocated flows]/[free] ([allocated memory in bytes])

--enable-messages       enable runtime messages [default=no]
This option enables non-fatal runtime errors reporting. Be carefull - it
may flood your syslog.

--with-piddir=DIR       pidfiles location [default=/var/run]
Directory to store pidfiles.

Useful links:
=============

nProbe - NetFlow probe by Luca Deri:
http://www.ntop.org/nProbe.html

fprobe (namesake of mine project) - NetFlow probe by Bogdan Surdu:
http://psi.home.ro/flow

Softflowd - traffic analyzer capable of Cisco NetFlow data export:
http://www.mindrot.org/softflowd.html

Cisco's NetFlow links:
http://www.cisco.com/go/netflow

Excellent links collection about Network Monitoring and Analysis:
http://www.switch.ch/tf-tant/floma

Contacts:
=========

Feel free to send any questions, comments, bug reports etc.
Contributions are welcome, including cosmetic fixes and pointing out
usability problems.

Sincerely yours,
Slava Astashonok <[email protected]>