fprobe is a small NetFlow probe which will listen on a network interface. It isusing libpcap, aggregate the traffic and export NetFlow V5 datagram to a remote collector for processing. A flow is identified by ip protocol, source ip, source port, destination ip, destination port.
Right now only ethernet interfaces are supported. Support for more media types (tunnel, ppp etc) will be added in nex versions.
/fprobe -t IP:PORT [ -i interface ] [ -s scan ] [ expression ]
-t IP:PORT NetFlow collector address
-i interface interface to listen for traffic (default eth0)
-s scan interval in seconds between two flow tables scans (Default: 10)
-c file file with MAC definitions
-p don't put the interface in promisc mode
-b go in background (daemon mode)
-l file log file name
expression a bpf expresion to filter traffic (See libpcap/tcpdump)
./fprobe -i eth2 -t 127.0.0.1:8182
This will sniff the traffic on interface 'eth2' and will send the NetFlow data to localhost (127.0.0.1) on UDP port 8182.
Internal flow table is parsed every 'scan' seconds for expired flows which are sent to remote collector.
What's New in This Release:
· can handle IP fragments
· can set the snmp interface ID based on source/destination MAC address
· fixed uptime in exported flows
· new hash function for internal storage
· delay between udp datagrams emited