README
1First of all sorry for my clumsy English.
2
3General information:
4====================
5
6fprobe: a NetFlow probe - libpcap-based tool that collect network
7traffic data and emit it as NetFlow flows towards the specified
8collector.
9
10URL: http://fprobe.sourceforge.net
11
12Compiling and installing:
13=========================
14
15Read INSTALL file for basic installation instructions. Below I'll try to
16describe advanced compilation options.
17
18--with-pcap=DIR pcap.h location
19--with-libpcap=DIR libpcap location
20These are self-explaining options. They specify location of libpcap
21headers and library files respectively.
22Example:
23--with-pcap=/usr/local/pcap/include
24--with-libpcap=/usr/local/pcap/lib
25
26--with-membulk=MODE indexing mode: index8|index16|ptr [default=ptr]
27This option concerns to memory management and defines indexing mode and
28maximum memory bulk size. I only shall tell, that the `index8' is most
29frugal mode, `ptr' - fastest and `index16' somewhere in the middle.
30
31--with-hash=TYPE hash type: xor8|xor16|crc16 [default=xor16]
32fprobe use hashing to speedup flows cache searching. This option
33specifies the hash type. `xor8' is very frugal with memory - it uses
34only 1KB (on 32-bit systems) for hash structure while `xor16' and
35`crc16' - 256KB. But, on the other hand, bigger hash gives better
36performance.
37Hash functions xor8 and xor16 faster then crc16, but they are vulnerable
38to a DoS attack, as described in "Denial of Service via Algorithmic
39Complexity Attacks" by Scott A Crosby and Dan S Wallach:
40http://www.cs.rice.edu/~scrosby/hash
41
42--enable-uptime_trick enable uptime trick [default=yes]
43Maybe later...
44
45--enable-icmp_trick enable icmp trick: yes|cisco|no [default=yes]
46If this option set to "yes" fprobe will store ICMP type and code in
47srcport and dstport NetFlow fields.
48If this option set to "cisco" only dstport field will used (ICMP type is
49the higher eight bits and ICMP code is the lower eight bits). This
50storing method used in some Cisco NetFlow implementations.
51
52--enable-debug enable debugging [default=no]
53You may select different events for debugging: (C)apture, (U)npending,
54(S)can, (E)mit, (M)emory, (F)ill and (I)nfo. Most interesting (for end
55user) from above is Info debugging - you may get general statistic about
56captured packets, emitted flows, allocated memory, using kill -s USR1.
57Don't forget to run fprobe with `-v7' otherwise you'll not see debugging
58output.
59Example:
60--enable-debug (enable all events debugging)
61--enable-debug=I,C,U,E (enable Info, Capture, Unpending and Emit debugging)
62
63Brief explanation of Info debug messages:
64I: received:[total packets]/[fragmented] ([total size])
65 pending:[now in queue]/[maximum]
66I: ignored:[non-IP] lost:[pending queue full]+[no memory for caching]
67 dropped:[by kernel (if supported)]
68I: cache:[flows]/[fragmented] emit:[sent datagrams]/[sent flows]/[flows
69 in emit queue]
70I: memory:[allocated flows]/[free] ([allocated memory in bytes])
71
72--enable-messages enable runtime messages [default=no]
73This option enables non-fatal runtime errors reporting. Be carefull - it
74may flood your syslog.
75
76--with-piddir=DIR pidfiles location [default=/var/run]
77Directory to store pidfiles.
78
79Useful links:
80=============
81
82nProbe - NetFlow probe by Luca Deri:
83http://www.ntop.org/nProbe.html
84
85fprobe (namesake of mine project) - NetFlow probe by Bogdan Surdu:
86http://psi.home.ro/flow
87
88Softflowd - traffic analyzer capable of Cisco NetFlow data export:
89http://www.mindrot.org/softflowd.html
90
91Cisco's NetFlow links:
92http://www.cisco.com/go/netflow
93
94Excellent links collection about Network Monitoring and Analysis:
95http://www.switch.ch/tf-tant/floma
96
97Contacts:
98=========
99
100Feel free to send any questions, comments, bug reports etc.
101Contributions are welcome, including cosmetic fixes and pointing out
102usability problems.
103
104Sincerely yours,
105Slava Astashonok <sla@0n.ru>
106