1First of all sorry for my clumsy English. 2 3General information: 4==================== 5 6fprobe: a NetFlow probe - libpcap-based tool that collect network 7traffic data and emit it as NetFlow flows towards the specified 8collector. 9 10URL: http://fprobe.sourceforge.net 11 12Compiling and installing: 13========================= 14 15Read INSTALL file for basic installation instructions. Below I'll try to 16describe advanced compilation options. 17 18--with-pcap=DIR pcap.h location 19--with-libpcap=DIR libpcap location 20These are self-explaining options. They specify location of libpcap 21headers and library files respectively. 22Example: 23--with-pcap=/usr/local/pcap/include 24--with-libpcap=/usr/local/pcap/lib 25 26--with-membulk=MODE indexing mode: index8|index16|ptr [default=ptr] 27This option concerns to memory management and defines indexing mode and 28maximum memory bulk size. I only shall tell, that the `index8' is most 29frugal mode, `ptr' - fastest and `index16' somewhere in the middle. 30 31--with-hash=TYPE hash type: xor8|xor16|crc16 [default=xor16] 32fprobe use hashing to speedup flows cache searching. This option 33specifies the hash type. `xor8' is very frugal with memory - it uses 34only 1KB (on 32-bit systems) for hash structure while `xor16' and 35`crc16' - 256KB. But, on the other hand, bigger hash gives better 36performance. 37Hash functions xor8 and xor16 faster then crc16, but they are vulnerable 38to a DoS attack, as described in "Denial of Service via Algorithmic 39Complexity Attacks" by Scott A Crosby and Dan S Wallach: 40http://www.cs.rice.edu/~scrosby/hash 41 42--enable-uptime_trick enable uptime trick [default=yes] 43Maybe later... 44 45--enable-icmp_trick enable icmp trick: yes|cisco|no [default=yes] 46If this option set to "yes" fprobe will store ICMP type and code in 47srcport and dstport NetFlow fields. 48If this option set to "cisco" only dstport field will used (ICMP type is 49the higher eight bits and ICMP code is the lower eight bits). This 50storing method used in some Cisco NetFlow implementations. 51 52--enable-debug enable debugging [default=no] 53You may select different events for debugging: (C)apture, (U)npending, 54(S)can, (E)mit, (M)emory, (F)ill and (I)nfo. Most interesting (for end 55user) from above is Info debugging - you may get general statistic about 56captured packets, emitted flows, allocated memory, using kill -s USR1. 57Don't forget to run fprobe with `-v7' otherwise you'll not see debugging 58output. 59Example: 60--enable-debug (enable all events debugging) 61--enable-debug=I,C,U,E (enable Info, Capture, Unpending and Emit debugging) 62 63Brief explanation of Info debug messages: 64I: received:[total packets]/[fragmented] ([total size]) 65 pending:[now in queue]/[maximum] 66I: ignored:[non-IP] lost:[pending queue full]+[no memory for caching] 67 dropped:[by kernel (if supported)] 68I: cache:[flows]/[fragmented] emit:[sent datagrams]/[sent flows]/[flows 69 in emit queue] 70I: memory:[allocated flows]/[free] ([allocated memory in bytes]) 71 72--enable-messages enable runtime messages [default=no] 73This option enables non-fatal runtime errors reporting. Be carefull - it 74may flood your syslog. 75 76--with-piddir=DIR pidfiles location [default=/var/run] 77Directory to store pidfiles. 78 79Useful links: 80============= 81 82nProbe - NetFlow probe by Luca Deri: 83http://www.ntop.org/nProbe.html 84 85fprobe (namesake of mine project) - NetFlow probe by Bogdan Surdu: 86http://psi.home.ro/flow 87 88Softflowd - traffic analyzer capable of Cisco NetFlow data export: 89http://www.mindrot.org/softflowd.html 90 91Cisco's NetFlow links: 92http://www.cisco.com/go/netflow 93 94Excellent links collection about Network Monitoring and Analysis: 95http://www.switch.ch/tf-tant/floma 96 97Contacts: 98========= 99 100Feel free to send any questions, comments, bug reports etc. 101Contributions are welcome, including cosmetic fixes and pointing out 102usability problems. 103 104Sincerely yours, 105Slava Astashonok <sla@0n.ru> 106