Provided by:NAMEfprobe - a NetFlow probeSYNOPSIS fprobe options remote:port/local/type. DESCRIPTION fprobe - libpcap-based tool that collect network traffic data and emit it as NetFlow flowstowards the specified collector.OPTIONS -h Display short help-p Don't put the interface into promiscuous mode. Note that even if this option isused, the interface might be in promiscuous mode for some other reason.-i Listen on interface.

How do I use fprobe? I recently installed fprobe so that I could generate some NetFlow data in order to learn how to use FlowTools. I tried to read the README that came with fprobe, but I guess I'm not as advanced as I thought I am, because I can't get it to work.

If unspecified, fprobe will use result of pcaplookupdevfunction. On Linux systems with 2.2 or later kernels, an interface argument of` any' can be used to capture packets from all interfaces. Note that captures on the` any' device will not be done in promiscuous mode.You may use ` -' as interface name to process files produced by tcpdump with -wflag. Fprobe will read data from stdin.-f Filter expression selects which packets will be captured. If no expression isgiven, all packets on the net will be captured.

Otherwise, only packets for whichexpression is `true' will be captured.fprobe use silly IP-packet detection method, so it is bad idea to leave the filterempty. For general use `ip' (-fip) is good filter expression.Read tcpdump manual for detailed expression syntax.-s How often scan for expired flows. default=5-g Fragmented flow lifetime. default=30-d Idle flow lifetime (inactive timer). default=60-e Active flow lifetime (active timer). default=300-n NetFlow version for use (1, 5, 7). default=5-a Use address as source for NetFlow flow.-x :Workaround for SNMP interfaces indexes.

default=0The second parameter may be omitted - in this case its value will be equal to thefirst.See BUGS section.-b Memory bulk size. default=200 or 10000Note that maximum and default values depends on compiling options ( -with-membulkparameter).-m Memory limit for flows cache (0=no limit). default=0-q Pending queue length. default=100Each captured packet at first puts into special buffer called `pending queue'.Purpose of this buffer is to separate most time-critical packet capture thread fromother.-B Kernel capture buffer size (0=don't change). default=0Increase kernel capture buffer size is most adequate way to prevent packets loss.Unfortunately, at present there is no straight way to set the buffer size throughtlibpcap, so this option is a hack. Moreover, now this hack take effect only onsocket-based capture mechanisms: it mean that it work on Linux and don't work onBSD systems with their bpf.Note that maximum allowed size of the buffer in Linux limited and generallyrelatively small, so it should need to change the maximum: sysctl -wnet/core/rmemmax=4194304-r Real-time priority (0=disabled). default=0If parameter greater then zero fprobe will use real-time scheduling policy toprevent packets loss.

Note that possible values for this option depends onoperating system.-t Emitting rate limit (0:0=no limit). default=0:0Produce N nanosecond delay after each B bytes sent. This option may be useful withslow interfaces and slow collectors. Note that the suspension time may be longerthan requested because the argument value is rounded up to an integer multiple ofthe sleep resolution (it depends on operating system and hardware) or because ofthe scheduling of other activity by the system.See BUGS section.-S Snaplen (0=whole packet). default=256Number of bytes to capture from packet on wire.-K Link layer header size. By default fprobe take this information from libpcap, butsometimes obtained size unsuitable for our purpose. It occurs, for example, ontrunk interfaces in VLAN enviroment, where link layer header contain additionalVLAN header.See EXAMPLES section.-k Don't exclude link layer header from packet size.

By default fprobe counts only IP-part of packet.-c Directory to chroot to.-u User to run as.-v Maximum displayed log level. (0=EMERG, 1=ALERT, 2=CRIT, 3=ERR, 4=WARNING, 5=NOTICE,6=INFO, 7=DEBUG) default=6-l Log destination (0=none, 1=syslog, 2=stdout, 3=both) and log/pidfile identifier.default=1This option allows to select opportune log destination and process identifier. Theidentifier helps to distinguish pidfile and logs of one fprobe process from other.Note that if log destination contains ` stdout' (equal 2 or 3) fprobe will run inforeground.remote:port/local/typeParameters remote and port are respectively define address and port of the NetFlowcollector.The local parameter allows binding certain local IP address with specifiedcollector. If the parameter is omitted the value (if any) of -a option will beused.The type parameter determines emitting behavior.

How to install fprobe on Ubuntu 12.04 LTS?

First of all update your system with the command: Download ghost for window xp.

Ads

Above command will download the package lists for Ubuntu 12.04 LTS on your system. This will update the list of newest versions of packages and its dependencies on your system.

After downloading the latest package list with the help of above you can run the installation process.

If fprobe is not installed on your compter then the command 'dpkg -L fprobe' will give followin error.

Installing fprobe:

After system update use the following command to install fprobe:

Above command will confirm before installing the package on your Ubuntu 12.04 LTS Operating System. If you are not already logged in as su, installer will ask you the root password. After completion of the installation you can use the package on your system.

How to uninstall/remove fprobe from Ubuntu 12.04 LTS?

Now we will see the commands for uninstalling the fprobe from Ubuntu 12.04 LTS. For uninstalling this package you can easily use the apt command and remove the package from Linux Operating System.

To remove the fprobe following command is used:

Following command is used to remove the fprobe package along with its dependencies:

This will remove fprobe and all its dependent packages which is no longer needed in the system.

Completely removing fprobe with all configuration files:

Following command should be used with care as it deletes all the configuration files and data:

or you can use following command also:

Above command will remove all the configuration files and data associated with fprobe package. You can can't recover the delete data, so, use this command with care.