Command Line Options

nProbe supports a large number of command line parameters. To see what they are, simply enter the command nprobe -h and the help information should be printed

Welcome to nProbe
with native PF_RING acceleration.
Copyright 2002-18 ntop.org

nProbe is subject to the terms and conditions defined in
the LICENSE and EULA files that are part of this package.

nProbe also contains third party code:
Radix tree code - (C) The Regents of the University of Michigan
                      ("The Regents") and Merit Network, Inc.
sFlow collector - (C) InMon Inc.

Usage:
nprobe -n <host:port|none> [-i <interface|dump file>] [-t <lifetime timeout>]
              [-d <idle timeout>] [-l <queue timeout>] [-s <snaplen>]
              [-p <aggregation>] [-f <filter>] [-a] [-b <level>] [-G]
              [-P <path>] [-F <dump timeout>] [-D <format>]
              [-u <in dev idx>] [-Q <out dev idx>]
              [-I <probe name>] [-v] [-w <hash size>] [-e <flow delay>] [-B <packet count>]
              [-z <min flow size>] [-M <max num flows>]
              [-E <engine>] [-C <flow lock file>]
              [-m <min # flows>] [-R <cmd>][-q <host>[:<port>]
              [-S <sample rate>] [-A <AS list>] [-g <PID file>]
              [-T <flow template>] [-U <flow template id>]
              [-o <v9 templ. export policy>] [-L <local nets>] [-c] [-r]
              [-1 <interface nets>] [-2 <number>] [-3 <port>] [-4] [-5] [-6]
              [-9 <path>] [--black-list <networks>] [--pcap-file-list <filename>]
              [-N <biflows export policy>] [--dont-drop-privileges]


[--collector|-n] <host:port|none>   | Address of the NetFlow collector(s).
                                    | Multiple collectors can be defined using
                                    | multiple -n flags. In this case flows
                                    | will be sent in round robin mode to
                                    | all defined collectors if the -a flag
                                    | is used. Note that you can specify
                                    | both IPv4 and IPv6 addresses.
                                    | If you specify none as value,
                                    | no flow will be export; in this case
                                    | the -P parameter is mandatory.
                                    | Note that you can specify the protocol
                                    | used to send packets. Example:
                                    | udp://192.168.0.1:2055,tcp://10.1.2.3:2055
[--interface|-i] <iface|pcap>       | Interface name from which packets are
                                    | captured, or .pcap file (debug only).
[--lifetime-timeout|-t] <timeout>   | It specifies the maximum (seconds) flow
                                    | lifetime [default=120]
[--idle-timeout|-d] <timeout>       | It specifies the maximum (seconds) flow
                                    | idle lifetime [default=30]
[--queue-timeout|-l] <timeout>      | It specifies how long expired flows
                                    | (queued before delivery) are emitted
                                    | [default=30]
[--snaplen|-s] <snaplen>            | Packet capture snaplen [default 128 bytes]
[--aggregation|-p] <aggregation>    | It specifies the flow aggregation level:
                                    | <VLAN Id>/<proto>/<IP>/<port>/<TOS>/<SCTP StreamId>/<exporter IP>
                                    | where each element can be set to 0=ignore
                                    | or 1=take care. Example '-p 1/0/1/1/1/1/0'
                                    | ignores the protocol, whereas
                                    | '-p 0/0/1/0/0/0/0' ignores everything
                                    | but the IP. Default: 1/1/1/1/1/1/1
[--bpf-filter|-f] <BPF filter>      | BPF filter for captured packets
                                    | [default=no filter]
[--all-collectors|-a]               | If several collectors are defined, this
                                    | option gives the ability to send all
                                    | collectors all the flows. If the flag is
                                    | omitted collectors are selected in
                                    | round robin.
[--verbose|-b] <level>              | Verbose output:
                                    | 0 - No verbose logging
                                    | 1 - Limited logging (traffic statistics)
                                    | 2 - Full verbose logging
[--daemon-mode|-G]                  | Start as daemon.
[--dump-path|-P] <path>             | Directory where dump files will
                                    | be stored.
[--exec-cmd-dump|-R] <cmd>          | Execute the specified command for each
                                    | file dump on disk (including plugins).
[--exec-cmd-pcap|-x] <cmd>          | Execute the specified command for each
                                    | pcap file that has been processed with -i.
[--dump-frequency|-F] <dump timeout>| Dump files dump frequencey (sec).
                                    | Default: 60
[--dump-format|-D] <format>         | <format>: flows are saved as:
                                    | b       : raw/uncompressed flows
                                    | B       : raw core flow fields (152 bytes)
                                    | t       : text flows
                                    | Example: -D b. Note: this flag has no
                                    | effect without -P.
[--in-iface-idx|-u] <in dev idx>    | Index of the input device used in the
                                    | emitted flows (incoming traffic). Default
                                    | value is 0. Use -1 as value to dynamically
                                    | set to the last two bytes of
                                    | the MAC address of the flow sender.
[--out-iface-idx|-Q] <out dev idx>  | Index of the output device used in the
                                    | emitted flows (outgoing traffic). Default
                                    | value is 0. Use -1 as value to dynamically
                                    | set to the last two bytes of
                                    | the MAC address of the flow receiver.
[--vlanid-as-iface-idx] <mode>      | Use vlanId (0 for untagged traffic)
                                    | as interface index. Mode specifies with
                                    | stacked VLANs which vlanId to choose. Values
                                    | are 'inner', 'outer', 'single', or 'dual':
                                    | inner  = use the most inner VLAN tag
                                    | outer  = use the first (the one close to ether) VLAN tag
                                    | single = for even outer VLAN tags 'E',
                                    |          where E={2,4,6...4094},
                                    |          ifIdx is set to IN='0',OUT='E'.
                                    |          For odd outer VLAN tags 'O',
                                    |          where O={3,5,7...4095},
                                    |          ifIdx is set to IN='O-1',OUT='0'
                                    | double = for even outer VLAN tags 'E',
                                    |          where E={2,4,6...4094}, ifIdx
                                    |          is set to IN='E+1',OUT='E'.
                                    |          For odd outer VLAN tags 'O',
                                    |          where O={3,5,7...4095},
                                    |          ifIdx are set to IN='O-1',OUT='O'
                                    | Note that this option
                                    | superseedes the --in/out-iface-idx options
[--discard-unknown-flows] <mode>    | In case you enable L7 proto detection
                                    | (e.g. add %L7_PROTO to the template)
                                    | this options enables you not to export
                                    | flows for which nDPI has not been able
                                    | to detect the proto. Mode values:
                                    | 0 - Export known/unknown flows (default)
                                    | 1 - Export only known flows (discard
                                    |     flows with unknown protos)
                                    | 2 - Export only unknown flows (discard
                                    |     flows with known protos)
[--nprobe-version|-v]               | Prints the program version.
[--flow-lock|-C] <flow lock>        | If the flow lock file is present no flows
                                    | are emitted. This facility is useful to
                                    | implement high availability by means of
                                    | a daemon that can create a lock file
                                    | when this instance is in standby.
[--help|-h]                         | Prints the nProbe help. Use -H for long help.
[--help-netflow|-H]                 | Prints help including templates and plugins info.
--interpret-flow-packets            | Interpret received packets to see
                                    | if they contain flows (development only).
--debug                             | Enable debugging (development only).
--terminate-in <sec>                | Terminate nProbe in <sec> seconds. Debug only.
--plugin-dir <dir>                  | Load plugins from the specified directory.
--check-boundaries                  | Traps code that modifies read-only
                                    | memory (development only).
--json-to-syslog                    | Export flows in JSON format to syslog
--json-labels                       | In case JSON label is used (e.g. with ZMQ)
                                    | labels instead of numbers are used as keys.
--fake-capture                      | Fake packet capture (development only).
--drop-flow-no-plugin               | Drop flows that have not processed by a plugin.
--l7-aggregation <mode>             | Enable data aggregation in redis (--redis required)
                                    | 1 - Aggregate hourly (redis key nprobe.l7_xxx.epoch)
                                    | 2 - Aggregate daily (redis key nprobe.l7_xxx.epoch)
                                    | 3 - Aggregate totals (redis key nprobe.l7_totals)
                                    | Where epoch is the current epoch modulus 3600 (hourly)
                                    | and 86400 (daily) and xxx is bytes/pkts.
--dont-nest-dump-dirs               | Dump files won't be saved on nested dirs.
--performance                       | Enable performance tracing (debug only).
--capture-direction <direction>     | Specify packet capture direction
                                    | 0=RX+TX (default), 1=RX only, 2=TX only
--plugin-notify                     | In case plugin(s) are enabled and --zmq is used
                                    | it is possible to send immediately to remote collectors
                                    | a JSON message with the decoded plugin flow info without
                                    | having to wait the flow to expire
--lua <lua path>                    | Run the specified lua file before flow export (nProbe Pro).
--add-pid-to-logfile                | Append the nprobe PID to dump files to avoid file
                                    | overwrite in case multiple probes dump onto the
                                    | same directory
--add-engineid-to-logfile           | Append the defined NetFlow engineId to dump files
--enable-ipv4-deduplication         | By default IPv4 frames hw-duplicated are not detected
                                    | and discarded. Use this option to enable
                                    | IPv4 hw-deduplication
[--syslog|-I] <probe name>          | Log to syslog as <probe name>
                                    | [default=stdout]
[--hash-size|-w] <hash size>        | Flows hash size [default=131072]
[--no-ipv6|-W]                      | IPv6 packets will not be accounted.
[--flow-delay|-e] <flow delay>      | Delay (in ms) between two flow
                                    | exports [default=0]
[--count-delay|-B] <packet count>   | Send this many packets before
                                    | the -e delay [default=1]
[--min-flow-size|-z] <TCP[:UDP[:O]]>| Minimum flow size (in bytes).
                                    | If a flow is shorter than the
                                    | specified size the flow is not
                                    | emitted. Flow size can be specified
                                    | for TCP, UDP and Other flows, with Other
                                    | meaning neither TCP nor UDP.
                                    | [default=no_min/no_min/no_min]
--cluster-id <cluster id>           | Specify the PF_RING clusterId on which
                                    | incoming packets will be bound.
[--max-num-flows|-M] <max num flows>| Limit the number of active flows. This is
                                    | useful if you want to limit the memory
                                    | or CPU allocated to nProbe in case of non
                                    | well-behaved applications such as
                                    | worms or DoS. [default=524288]
[--netflow-engine|-E] <type:id>     | Specify the engine type and id.
                                    | The format is engineType:engineId.
                                    | [default=0:242] where engineId is a
                                    | random number.
[--min-num-flows|-m] <min # flows>  | Minimum number of flows per packet
                                    | unless an expired flow is queued
                                    | for too long (see -l) [default=30
                                    | for v5, dynamic for v9/IPFIX]
[--sender-address|-q <host>[:<prt>]]| Specifies the address:port of the flow
                                    | sender. This option is useful for hosts
                                    | with multiple interfaces or if flows
                                    | must be emitted from a static port/IP.
[--sample-rate|-S] <pkt rate>:<flow collection rate>:<flow export rate>
                                    | Packet capture sampling rate (-i only)
                                    | and NetFlow collection/export sampling rate.
                                    | If <pkt rate> starts with
                                    | '@' it means that nprobe will report
                                    | the specified sampling rate but will
                                    | not sample itself as incoming packets
                                    | are already sampled on the specified
                                    | capture device at the specified rate.
                                    | NOTE: in sFlow pkt rate is part of the packet.
                                    | Flow collection rate specify the flow sampling
                                    | rate of the flows being collected (-3 only)).
                                    | Flow export rate (export only e.g. -n)
                                    | specifies how many flows are exported
                                    | (i.e. it does not affect flow collection).
                                    | Default: 1:1:1 [no sampling]
[--max-ingress-rate] <rate>         | Maximum ingress rate in Mbit/s (rate limiting)
[--as-list|-A] <AS list>            | GeoIP file containing with known ASs.
                                    | Example: GeoIPASNum.dat
--city-list <city list>             | GeoIP file containing the city/IP mapping.
                                    | Note that nProbe will load the IPv6 file
                                    | equivalent if present. Example:
                                    | --city-list GeoLiteCity.dat will also
                                    | attempt to load GeoLiteCityv6.dat
[--pid-file|-g] <PID file>          | Put the PID in the specified file
[--flow-templ|-T] <flow template>   | Specify the NFv9/IPFIX template (see below).
[--flow-templ-id|-U] <templ. id>    | Specify the NFv9/IPFIX template identifier
                                    | [default: 257]
[--flow-version|-V] <version>       | NetFlow Version: 5=NFv5, 9=NFv9, 10=IPFIX
[--flows-intra-templ|-o] <num>      | Specify how many flow pkts are exported
                                    | between template exports [default: 10]
[--aggregate-gtp-tunnels]           | Aggregate GTP traffic on tunnel id.
[--keep-probes-unmerged]            | Don't merge flows rcvd from different probe IPs.
[--skip-packet-header-bytes] <num>  | Skip <num> bytes from ingress packet header.
[--local-networks|-L] <nets>        | Specify the list of local networks whose
                                    | format is <net>/<mask> (if multiple use comma).
[--local-hosts-only|-c]             | All the IPv4 hosts outside the local
                                    | network lists will be set to 0.0.0.0
                                    | (-L must be specified before -c).
                                    | This reduces the load on the probe
                                    | instead of discarding flows on the
                                    | collector side.
[--local-traffic-direction|-r]      | All the traffic going towards
                                    | the local networks (-L must also be
                                    | specified before -r) is assumed incoming
                                    | traffic all the rest is assumed outgoing
                                    | (see also -u and -Q).
[--max-flow-size|-0] <size>         | Specify the maximum flow size. NOTE:
                                    | This parameter has influence on -m.
[--if-networks|-1] <nets>           | Specify the binding between interfaceId
                                    | and a network (see below).
[--count|-2] <number>               | Capture a specified number of packets
                                    | and quit (debug only)
[--collector-port|-3] <port>        | Collect NetFlow/IPFIX/sFlow packets on port <port>
                                    | Example: -3 6343
                                    | Example: --collector-port 2055
                                    | NetFlow/IPFIX/sFlow packets can also be received through
                                    | a ZMQ relay, in which case <port> is used to specify the
                                    | relay endpoint. An implementation of a ZMQ relay
                                    | comes packaged and is available as binary flowRelay.
                                    | Example: -3 tcp://127.0.0.1:5556
[--cpu-affinity|-4] <CPU/Core Id>   | Binds this process to the specified CPU/Core
                                    | Note: the first available CPU corresponds to 0.
--export-thread-affinity <core>     | Bind the export thread to the specified core (default: no bind)
[--tunnel|-5]                       | Compute flows on tunnelled traffic rather than
                                    | on the external envelope
[--max-num-untunnels]               | Max number of tunnells that will be decapsulated
                                    | when using --tunnel
[--no-promisc|-6]                   | Capture packets in non-promiscuous mode
[--smart-udp-frags|-7]              | Ignore UDP fragmented packets with fragment offset
                                    | greater than zero, and compute the fragmented
                                    | packet length on the initial fragment header.
[--ipsec-auth-data-len|-8] <len>    | Length of the authentication data of IPSec
                                    | in tunnel mode. If not set, IPSec will not be decoded
[--dump-stats|-9] <path>            | Periodically dump traffic stats into the
                                    | specified file
--black-list <networks>             | All the IPv4 hosts inside the networks
                                    | black-list will be discarded.
                                    | This reduces the load on the probe
                                    | instead of discarding flows on the
                                    | collector side.
--pcap-file-list <filename>         | Specify a filename containing a list
                                    | of pcap files.
                                    | If you use this flag the -i option will be
                                    | ignored.
[--biflows-export-policy|-N] <pol>  | Bi-directional flows export policy:
                                    | 0 - export all flows
                                    | 1 - export bi-directional flows only
                                    | 2 - export mono-directional flows only
--csv-separator <separator>         | Specify the text files separator (see -P)
                                    | Default is '|' (pipe)
--dont-drop-privileges              | Do not drop privileges changing to user nobody
--disable-sflow-upscale             | Ignore sFlow sampling rate (1:1 is used) and thus
                                    | collected traffic is not upscaled
--account-l2                        | NetFlow accounts IP traffic only, not counting
                                    | L2 headers. Using this option the L2 headers
                                    | are also accounted
--dump-metadata <file>              | Dump flow metadata into the specified file
                                    | and quit. Useful for knowking the IE handled.
--dump-pkts <.pcap file>            | Dump incoming packets received on -i <dev> on <.pcap file>
--max-log-lines <num>               | Maximum number of lines on a dump file, or 0 = unlimited. Default: 10000.
--timestamp-format <mode>           | Specify the timestamp format on dump files. Values:
                                    | 0 - Unix Epoch
                                    | 1 - Unix Epoch with microseconds
                                    | 2 - Human readable timestamp
--ndpi-proto <proto>                | Comma separated list of nDPI protocols to enable. If
                                    | not specified, all known protocols are detected.
--account-imsi-traffic              | When used with GTP traffic and --redis, the user traffic
                                    | is accounted per IMSI/NSAPI (mobile traffic only)
--event-log <file>                  | Dump relevant activities into the specified log file
--mac-asn-map <file>                | Map ASN number based on the destination MAC specified
                                    | in <file> whose format is <MAC> <ASN>. Example:
                                    | # MAC             ASN
                                    | 00:11:22:33:44:55 1234
--vlan-iface-map <file>             | Map VLAN IDs to in/egress interface Ids as specified
                                    | in <file> whose format is <MAC> <ASN>. Example:
                                    | # VLAN IN OUT
                                    | 1234   5  6
                                    | Note: this option might conflict with the
                                    |       option --vlanid-as-iface-idx
--load-custom-fields <file>         | Load custom templates from the specified file. Pro only.
--mask-interface-id                 | This flag has effect only in collector mode based on the:
                                    | flow version being collected:
                                    | v5      mask = engineId
                                    | v9      mask = sourceId (low 16 bits)
                                    | ipfix   mask = observationDomainId (low 16 bits)
                                    | The mask is shifted of 16 bits and put in OR with the
                                    | flow interface Ids in/out of the collected flow
--online-license-check              | Check license online instead of using a license file
--cli <port>:<user>:<pwd>           | Enable command-line on the specified port
--hw-timestamp-mode <mode>          | Enable hw timestamping/stripping. Supported TS modes are:
                                    | ixia - Timestamped packets by ixiacom.com hardware devices
--collection-filter <filter>        | Filter applied to collected filters only (-3). Filter format:
                                    | [!]<asX | network/mask> (! means discard flows matching filter)
                                    | Example: !as12345, 192.168.0.0/24, !10.0.0.0/8
--imsi-aggregation                  | Aggregate IMSI traffic (GTP traffic only)
--simulate-storage                  | Simulate storage to disk (debug only)
--zmq <socket>                      | Deliver flows to subscribers connected to the specified endpoint.
                                    | Example tcp://*:5556 or ipc://flows.ipc
                                    | You can define up to 8 endpoints. When more than one endpoint is defined,
                                    | a hash function is used to evenly balance the flows among them.
--zmq-encrypt-pwd <pwd>             | Encrypt the ZMQ data using the specified password
--zmq-probe-mode                    | By default nProbe in ZMQ mode acts as a server with subscribers
                                    | (e.g. ntopng) attaching to it. When this option is used, roles are
                                    | reverted (i.e. use ntopng --zmq-collector-mode).
--zmq-disable-compression           | Disable JSON compression when z=sent via ZMQ (default: compress)
--zmq-disable-buffering             | Disable flow buffering (less latency, but more ZMQ messages) (default: enabled)
--tcp <server:port>                 | Deliver flows in JSON format to the specified server via TCP.
--dump-bad-packets <file>           | Dump bad/undecodeable packets into the specified pcap file
--lru-cache-size <size>             | Users and protocol cache size. Default 16384
--enable-throughput-stats           | Compute throughput stats that can be dumped when -P is used
--ndpi-proto-ports <file>           | Read custom ports definitions for nDPI (see nDPI/example/protos.txt)
--disable-l7-protocol-guess         | When nDPI is enabled, in case a protocol is not recognized,
                                    | nProbe guesses the protocol based on ports. This option disables
                                    | this feature and uses only strict payload dissection
--original-speed                    | When using -i with a pcap file, instead of reading packets
                                    | as fast as possible, the original speed is preserved (debug only)
--dont-reforge-timestamps           | Disable nProbe to reforge timestamps with -i <pcap file> and
                                    | prevent flows from expire until the whole pcap is read (debug only)
--db-engine <database engine>       | Define the DB engine type (example MyISAM, InfiniDB).
                                    | This information is used by the database plugin.
                                    | Default MyISAM.
--unprivileged-user <name>          | Use <name> instead of nobody when dropping privileges
--disable-cache                     | Disable flow cache for avoid merging flows. This option
                                    | is available only in collector/proxy mode
                                    | (i.e. use -i none)
--redis <host>[:<port>]             | Connected to the specified redis server
                                    | Example --redis localhost
--use-redis-proxy                   | Use a redis proxy (e.g.
                                    | https://github.com/twitter/twemproxy)
--ucloud                            | Enable the nProbe micro-cloud
--show-system-id                    | Print the system identifier
--check-license                     | Checks if the license is present and valid
--check-maintenance                 | Checks the maintenance status for the specified license
--bind-export-interface <name>      | Bind the flow export socket to the IP of specified
                                    | network interface
--disable-startup-checks            | Disable startup activities such as computation of public
                                    | IP address
--dump-plugin-families              | Dump all available plugin families
--minute-expire                     | All active flows across a minute change are exported
                                    | regardless of the flow export settings

Some of the most important parameters are briefly discussed here.

-n: collector addresses

This specifies the NetFlow collectors addresses to which nProbe will send the flows. If more than one is specified, they need to be separated with a comma or the –n flag can be repeated several times (e.g. -n 172.22.3.4:33,172.22.3.4:34 and -n 172.22.3.4:33 –n 172.22.3.4:34 are equivalent). When multiple collectors are defined, you can control the way flows are exported using the –a option (see below); if on a collector address the destination port is omitted, flows are sent to 2055 port and whereas if all the option is not specified, by default, flows are sent to the loop back interface (127.0.0.1) on port 2055. If this parameter is used, nProbe exports flows towards collector running at 127.0.0.1:2055. By default the UDP protocol is used but also TCP and SCTP (Linux only when nProbe is compiled with SCTP support and the kernel supports it). In this case you can specify the collector address as udp://<host>:<port>, tcp://<host>:<port>, and sctp://<host>:<port>,

-i: interface name

It specifies the interface from which packets are captured. If -i is not used, nProbe will use the default interface (if any). In case a user needs to activate nProbe on two different interfaces, then he/she needs to activate multiple nProbe instances once per interface. For debugging purposes it is possible to pass nProbe a .pcap file from which packets will be read. If nProbe is compiled and activated with PF_RING support, you can specify multiple interfaces from which packets are captured. For example, “-i eth0,eth1”, will merge packets received on eth0 and eth1 into a single traffic stream. This configuration is particularly useful when merging the two directions (TX and RX) of a network TAP.

-t: maximum flow lifetime

Regardless of the flow duration, a flow that has been active for more that the specified maximum lifetime is considered expired and it will be emitted. Further packets belonging to the same flow will be accounted on a new flow.

-d: maximum flow idle lifetime

A flow is over when the last packet received is older that the maximum flow idle lifetime. This means that whenever applicable, (e.g. SNMP walk) UDP flows will not be accounted on 1 packet/1 flow basis, but on one global flow that accounts all the traffic. This has a benefit on the total number of generated flows and on the overall collector performance.

-l: maximum queue timeout It specifies the maximum amount of time that a flow can be queued waiting to be exported. Use this option in order to try to pack several flows into fewer packets, but at the same time have an upper bound timeout for queuing flows into the probe.

-s:  snaplen

This flag specifies the portion of the packet (also called snaplen) that will be captured by nProbe. By default nprobe sets the snaplen automatically according to its configuration, but you can override its value using thia flag.

-p: <VLAN Id>/<proto>/<IP>/<port>/<TOS>/<SCTP StreamId>/<exporter IP>

Flows can be aggregated both at collector and probe side. However probe allocation is much more effective as it reduces significantly the number of emitted flows hence the work that the collector has to carry on. nProbe supports various aggregation levels that can be selected specifying with the -p flag. The aggregation format is <VLAN Id>/<proto>/<IP>/<port>/<TOS>/<SCTP StreamId>/<exporter IP> where each option can be set to 0 (ignore) or 1 (take care). Ignored fields are set to a null value when doing the aggregation as well as when doing the export. For example setting the <exporter IP> to 0 (ignore) will consider all the incoming flows as if they were coming from the same null exporter that will be output in %EXPORTER_IPV4_ADDRESS as 0.0.0.0. By default no aggregation is performed. For the sake of example, the value 0/0/1/0/0/0/0 can be used to create a map of who’s talking to who (network conversation matrix).

-f: packet capture filter

This BPF filter (see the appendix for further information about BPF filters) allows nProbe to take into account only those packets that match the filter (if specified).

-a: select flow export policy

When multiple collectors are defined (see –n option), nProbe sends them flows in round robin. However it is possible to send the same flow to all collectors as a flow redirector does if the –a option is used.

-b: enable verbose logging

Using this flag, nProbe generates verbose output that can be used to tune its performance (see chapter 2.4). Zero is the lowest level (little information is printed), 1 displays traffic statistics, 2 is really verbose. Example of traffic statistics:

04/Jul/2007 18:16:00 [nprobe.c:1129] Average traffic: [1.7 pkt/sec][1 Kb/sec]
04/Jul/2007 18:16:00 [nprobe.c:1134] Current traffic: [1.9 pkt/sec][1 Kb/sec]
04/Jul/2007 18:16:00 [nprobe.c:1140] Current flow export rate: [0.9 flows/sec]
04/Jul/2007 18:16:00 [nprobe.c:1144] Buckets: [active=13][allocated=21][free=8][toBeExported=0][frags=0]
04/Jul/2007 18:16:00 [nprobe.c:1149] Fragment queue: [len=0]
04/Jul/2007 18:16:00 [nprobe.c:1153] Num Packets: 111 (max bucket search: 0)
04/Jul/2007 18:16:00 [nprobe.c:1170] 115 pkts rcvd/0 pkts dropped

-G: start nprobe as a daemon.

Useful when starting nprobe as daemon.

-O: set the number of threads that fetch packets out of the network interface.

In general: the more threads are available, the better is the performance. However it is not suggested to have too many threads as in some platforms this can slow down the probe. Start with 1 and increase it if necessary. We suggest to run nprobe as single threaded application and distribute the traffic across multiple probes using PF_RING (e.g. PF_RING cluster or libzero). In fact adding threads you will end up spending a lot of time on synchronization without improving the performance. Please refer to this post http://www.ntop.org/nprobe/10-gbit-line-rate-netflow-traffic-analysis-using-nprobe-and-dna/ for more information.

-P: dump flows

This path specifies the directory where flows will be dumped. The dump format is text and it depends on the nProbe template specified with -T.

-F

It specifies the frequency at which files are dumped on disk

  • D: dump flows format

    Flows stored on disks can be stored in two formats: text with user-specified format or SQLite format (availability depends on the platform and if nProbe has been compiled with it). Using flow SQLite format (-D d) can significantly reduce the size of stored files, although all the collectors might not support this format. Text flows (-D t) are the safest setting if you want to use a standard collector able to read flows dump on disk. You can also export core flow fields (-D B) in binary format for post-processing by binary applications. Note that this flag has no effect unless –P is used.

-u: input device index

The NetFlow specification contains a numeric index in order to identify flows coming from different interfaces of the same probe. As multiple nProbe instances can be started on the same host but on different devices, the collector can use this flag to divide flows according to the interface number. If –u is not used, then nprobe will use 0 as interface index. Alternatively, if -1 is used then the last two bytes of the mac address of the flow sender are used as index.

-Q: output device index

Similar to –u but for the output interface.

--vlanid-as-iface-idx <mode: inner | outer | single | double>

nProbe can use the VLAN tag as interface identifier. Using this flag you enable this feature. As VLAN tags can be stacked you need to specify if the inner or outer tag will be used for the interface identifier.

--discard-unknown-flows <mode:0 | 1 | 2>

nProbe includes nDPI support for analyzing packet contents in order to detect application protocol. The mode value can be used to:

  • 0: Export all know (i.e. those whose application protocol has been detected) and unknown (i.e. the application protocol is unknown)
  • 1: Export only know flows, discarding unknown flows.
  • 2: Export only unknown flows, discarding known flows.

-v: print version

This flag is used to print the nProbe version number and date.

-C: flow export lock

This is a simple way to implement high-availability. Start two probes capturing the same data. The master probe emit flows, the slave probe is started with –C <path>. As long as <path> exists, the slave works but no flow is emitted. If the <path> file is deleted (e.g. using an external program for controlling the master/slave such as heartbeat) the slave starts emitting flows. If the file is restored, the slave is silent again.

-h: print help

Prints the nProbe help.

--dont-nest-dump-dirs

nProbe dumps data on disk (e.g. with -P) using a nested directory. In essence the base directory will be partitioned in sub-directories with <year>/<month>/<day>/<hour>/<min> structure. use this option is you want nProbe to dump all data in the base directory without creating this nested directory tree.

-I: log to syslog <probe name>

nProbe logs on stdout unless the –g flag (see above) is used. If the syslog needs to be used instead of a file, this flag instruments nProbe to log on it using the specified name (this is useful when multiple nProbe instances are active on the same host). Please note that –g is ignored if –I is used, and this option is not available on nProbe for Win32.

-w: size of the hash that stores the flows

The default size is 131072 and it should be enough for most of networks. In case flows are not emitted often and with strong traffic conditions it would be necessary to increase the hash. See later in this manual for knowing more about nProbe tuning.

-W: Discard IPv6 traffic

Use this flag if you want nProbe not to account IPv6 traffic.

-e: flow export delay

Some collectors cannot keep up with nProbe export speed. This flag allows flows to be slow down by adding a short delay (specified in ms) between two consecutive exports. The maximum allowed delay is 1000 ms.

-B: packet count delay

It specified how many flow packets need to be sent before –e is applied,

-z: <TCP[:UDP[:O]]>

Peer-to-peer applications, attacks or misconfigured applications often generate a lot of tiny flows that can cause significant load on the collector side. As most collector setups often discarded those flows, it is possible to instrument nProbe via the –z flag not to emit such flows.

-M: maximum number of active flows

It is used to limit the maximum number of concurrent flows that the probe can sustain. This is useful for preventing the probe from creating as many flows as needed and hence to take over all the available resources.

-E: netflow engine

Specify the netflow engineType:engineId into the generated flows.

-m: minimum number of flows per packet

In order to minimize the number of emitted packets containing flows, it is possible to specify the minimum number of flows that necessarily need to be contained in a packet. This means that the packet is not emitted until the specified number of flows is reached.

-q: <host>:[<port>] flow sender address and port

This option is used to specify the address and, optionally, the port that will be used by nProbe to emit the flows towards the destination indicated with -n. In practice, nProbe will create a socket and bind it to <host>:[port], thus allowing the user to choose the interface taken by the emitted flows when leaving the host.

-S <pkt rate>:<flow collection rate>:<flow export rate>

Three different rates can be specified with this option:

  • Packet capture sampling rate <pkt rate>. This rate is effective for interfaces specified with -i and allows to control the sampling rate of incoming packets. For example, a sampling rate of 100 will instruct nprobe to actually process one packet out of 100, discarding all the others. All the statistics, including total bytes and packets, will be automatically up-scaled by nprobe to reflect the sample rate. In the previous example, the size of the sampled packet will be multiplied by 100. <pkt rate> can be prepended with a ‘@’ to instruct nprobe to only use the sampling rate for the up-scaling, without performing any actual sampling. This is particularly useful when incoming packets are already sampled on the capture device connected to nprobe but it is still meaningful to have up-scaled statistics.
  • Flow collection sampling rate <flow collection rate>. This rate works when nprobe is in collector mode, that is, when option –collector-port is used and specifies the flow rate at which flows being collected have been sampled. In this case, no actual sampling is performed on the incoming flows. The specified rate is only used to perform the upscaling. For example, a flow with 250 IN_BYTES will be up-scaled by a factor equal to the sampling rate. If the sampling rate is 100, a total of 2500 IN_BYTES will be accounted for that flow.
  • Flow export rate <flow export rate>. This rate is effective when nprobe exports NetFlow towards a downstream collector, that is, when option -n is used. It controls the output sampling. For example, a <flow export rate> of 100 will cause nprobe to only export 1 flow out of 100 towards the downstream collector.

-A: AS file

Network probes are usually installed on systems where the routing information is available (e.g. via BGP) in order to specify the AS (Autonomous System) id of the flow peer. As nProbe has no access to BGP information unless you enable the BGP plugin, users need to provide this information by means of a static file whose format is <AS>:<network>. The file can be stored in both plain text and gzip format.

--city-list: City List

With this option you can enable geolocation of IP addresses at city/country detail level. Here you need to specify the GeoIP city database (e.g. GeoLiteCity.dat)
-g:
It specifies the path where nProbe will save the process PID.

-T: flow template definition

Contrary to NetFlow v5 where the flow format is fixed, NetFlow V9 and IPFIX flows have a custom format that can be specified at runtime using this option as specified in appendix.

-U: flow template id

NetFlow v9 and IPFIX flows format is specified in a template whose definition is sent by nProbe before to start sending flows. The flow format is defined by –T, where –U is used to set the template identifier. This option should not be used unless the default template value (257) needs to be changed. As based on -T nProbe can define several templates, this value is the one used for the first defined template.

-V: flow export version

It is used to specify the flow version for exported flows. Supported versions are 5 (v5), 9 (v9) and 10 (IPFIX).

-o: intra templates packet export.

It specifies the number of flow packets that are exported between two templates export.

--aggregate-gtp-tunnels

Aggregates traffic flowing in each GTP tunnel based in tunnel id.

-L: local networks

Use this flag to specify (format network/mask, e.g. 192.168.0.10/24) the list of networks that are considered local (see –c).

-c: track local hosts only

It allows nProbe to set to 0.0.0.0 all those hosts that are considered non-local (see –L). This is useful when it is necessary to restrict the traffic analysis only to local hosts.

-r: set traffic direction

When this option is used (-L must be specified before –r), all the traffic that goes towards the local networks is considered incoming, all the rest is outgoing. This has effect on the –u/-Q that are then forced with –r.

--if-networks

Flags -u and -Q are used to specify the SNMP interface identifiers for emitted flows. In mirrored environments, it is possible to simulate a switched environment by playing with MAC addresses. This option allows users to bind a MAC or IP address to a specified interfaceId.. The syntax of –if-networks is <MAC|IP/mask>@<interfaceId> where multiple entries can be separated by a comma (,). Example: –if-networks “AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2” or –if-networks @<filename> where <filename> is a file path containing the networks specified using the above format.

--count: debug only

Let the probe capture only up to the specified number of packets.

--collector-port: specifies the NetFlow collector port

Use nProbe to collect NetFlow/IPFIX/sFlow packets. Use option --collector-port to specify on which on which ports such packets should be collected. nProbe is able to ingest and convert flows from various versions. For instance nprobe --collector-port 2055 --i 192.168.0.1:2056 --V 10 converts each flow received on port 2055 to IPFIX and sends them to 192.168.0.1:2056.

Option --collector-port can also be used to receive NetFlow/IPFIX/sFlow packets through a ZMQ relay. In this case one should specify a ZMQ endpoint. An implementation of a ZMQ relay is available in executable flowRelay. Run flowRelay -h to see how to use it.

--tunnel:

Let the probe decode tunneled traffic (e.g. GTP or GRE traffic) and thus extract traffic information from such traffic rather than from the external envelope.

--no-promisc:

With this option nProbe does not use promiscuous mode to capture packets.

--smart-udp-frags:

Ignore UDP fragmented packets with fragment offset greater than zero, and compute the fragmented packet length on the initial fragment header. This flag might lead to inaccuracy in measurement but it speeds us operations with fragmented traffic.

--ipsec-auth-data-len

Length of the authentication data of IPSec in tunnel mode. If not set, IPSec will not be decoded but just accounted.

--dump-stats:  dump some flow statistics on file

Periodically dump NetFlow statistics on the specified file. Note that when using nProbe over PF_RING, nProbe dumps statistics on /proc/net/pf_ring/stats/<nprobe stats file>.

--black-list

With this option you can specify a list of networks or hosts from which all the incoming packets will be discarded by the probe. The accepted notation can be CIDR format or the classical network/netmask format.

--pcap-file-list <file>

The specified file path contains a list of pcap files to be read in sequence by nProbe. Use this option when you want nProbe to read a list of pcap files (e.g. when generated using tcpdump).

--biflows-export-policy <policy>

Bi-directional flows are such when there is traffic in both direction of the flow (i.e. source->dest and dest->source). As mono-directional flows might indicate suspicious activities, this flag is used to determine the export policy:

  • 0: Export all know (i.e. mono and bi-directional flows)
  • 1: Export only bi-directional flows, discarding mono-directional flows.
  • 2: Export only mono-directional flows, discarding bi-directional flows.

--csv-separator <separator>

Override the default ‘|’ separator in dumps with the specified one.

--dont-drop-privileges

Do not drop root privileges to user ‘nobody’ when this option is specified. See al –unprivileged-user later int this manual.

--account-l2

NetFlow accounts IP traffic only, not counting layer 2 headers. Using this option the layer 2 headers are also accounted in flow traffic statistics.

--dump-metadata <file>

Dump metadata information into the specified file and quit. This option is useful when users want to know the type of each information element exported by nProbe so that (for instance) they can properly import into a database.

--zmq <socket>

Specify a socket (e.g., tcp://\*:5556) that will be used to deliver flows to subscribers polling the socket. Up to 8 ZMQ endpoints can be specified by repeating the –zmq. When more than one endpoint is specified, nProbe uses an hash function to evenly balance flows among all the defined endpoints. Example:

./nprobe -i eth0 -n none --zmq tcp://\*:5556 --zmq tcp://\*:5557
./ntopng -i tcp://127.0.0.1:5556 -i tcp://127.0.0.1:5557 -i view: tcp://127.0.0.1:5556, tcp://127.0.0.1:5557

--zmq-probe-mode

By default, nProbe act as a ZMQ server that delivers flows to subscribers. Using this switch, its role is reverted. This is typically used in conjunction with ntopng run in collector mode. For a thorough description refer to the section “Using nProbe with ntopng”.

--tcp <server:port>

Delivers flows in JSON format via TCP to the specified pair server:port.

--event-log <file>

Dump relevant activities (e.g. nProbe start/stop or packet drop) onto the specified file.

--enable-throughput-stats

When -P is used, with this option is also possible to generate throughput information. The file has the following format: <epoch> <bytes> <packets>. Each line is printed every second and it contains the number of bytes and packets observed within minute.

--ndpi-proto-ports <file>

Read the nDPI custom protocol and ports configuration from the specified file. Please refer to the nDPI manual for further information about the format of this file.

--disable-l7-protocol-guess

When nDPI is unable to detect a protocol, nProbe uses the port information to guess the protocol. This flag prevents nProbe from doing that, so protocols are detected only by nDPI without relying on default ports.

--db-engine <database engine>

In case flows are dumped on a MySQL database (see later on this manual) the default database engine used by nProbe is MyISAM. With this option you can use another engine (e.g. InnoDB).

--unprivileged-user <name>

When nprobe drops privileges (unless –dont-drop-privileges is used) the user nobody is used. It is possible to use another user by using this option.

--disable-cache

nProbe implements a flow cache for merging packets belonging to the same flow. In proxy/collector mode, nProbe can disable this feature so that incoming flows are not put in cache but immediately exported.

--redis <host>[:<port>]

The redis database (when nProbe is compiled with it) is used to implement a data cache and for aggregating flow information. This option specifies the host (and optionally the port) where redis is listening. nProbe opens several connections to redis (not just one) in order to maximize performance.

--ucloud

This option enables the micro-cloud concept. Please refer to http://www.ntop.org/nprobe/monitoring-on-the-microcloud/ for more information.

--check-license

Checks if the configured license is valid (for binary nProbe’s only).

--disable-startup-checks

During startup nProbe obtains both the management interface IP address and its public IP address. The management interface IP address is the address of the physically-attached interface that carries nProbe network traffic. The public IP address is the address of the management interface as it is seen from the internet. Obtaining the public IP address triggers a request to http://checkip.dyndns.org.

--dump-plugin-families

Dump installed plugin family names.

--minute-expire

Force nProbe to export active flows when a minute elapses. This is useful if you want (e.g. using -P) to have fresh flows every minute and all ending at X minutes, 0 seconds.

As some people prefer to have a configuration file containing the options that otherwise would be specified on the command line, it is also possible to start nProbe as follows:

nprobe <configuration file path>

where the configuration file contains the same options otherwise specified on the command line. The only difference between the command line and the configuration file is that different options need to be specified on different lines. For instance:

nprobe --n 127.0.0.1:2055 -i en0 -a -p

is the same as:

nprobe /etc/nprobe.conf

where :code`/etc/nprobe.conf` contains the following lines:

# cat /etc/nprobe.conf

-n=127.0.0.1:2055
-i=en0
-a=
-p=

Note that flags with no parameter associated (e.g. –a) also need to have ‘=’ specified. Any standard NetFlow collector (e.g. ntop) can be used to analyze the flows generated by nProbe. When used with ntop, the nProbe can act as a remote and light traffic collector and ntop as a central network monitoring console. See chapter 3 for further information about this topic