service data-source

type { ip-traffic | netflow | libpcap | netgraph }

The type of the source of the data is assigned

• ip-traffic
  data are taken via interception ip-packets from the core through divert socket (FreeBSD) or netfilter (Linux 2.4.x)
• netflow
  the data about the passed traffic come from Cisco-router, which returns information flow in packets NetFlow, or from any other collector, which supports NetFlow v.5 (ulog2netflow, ipfw2netfloe, flowprobe)
  
• libpcap
  data are taken via the interception of packets with the aid of library libpcap, which copies into the program the passing through the nucleus systems the specific packets so it works, for example, tcpdump. Cmotri this division.
  
• netgraph
  data are transferred from the established module of nucleus. Only for FreeBSD shch..khkh. Cmotri this division.

source { tee XXX | divert XXX | ipq | ulog NL1 [NL2 ... NL32] | 
	A.B.C.D | ifname [promisc] | nodename [divert] }

The source of the data is assigned:
For FreeBSD

• tee XXX
  packets will be copied into the program and processed in parallel by system, number divert-port XXX
• divert XXX
  packets will be turned up into the program and it can return or not return to their system conversely, number divert-port XXX
• nodename [divert]
  will be established connection with module NETGRAPH of nucleus nodename. Parameter divert ukanyvayet to the need for conducting the authorization of the flow before its transmission. Cmotri this division.

For Linux Is necessary the presence in system netfilter.
For more detail it is possible to read man iptables, also, on site www.netfilter.org

• ipq
  packets will be turned up into the program and it can return or not return to their system conversely. Izpol'zuyetsya library libipq.
  For the work must be loaded module ip_queue (modprobe ip_queue). In order to activate the transfer of packets from the nucleus, it is necessary to assign this in firewall, for example by the command:
  iptables -A FORWARD -j QUEUE ...
• ulog NL1 [NL2 ... NL32]
  the packets will be copied into the program and processed in parallel by system, NLx determines numbers it mul'tikast groups in which program will listen to packets sent through ULOG.
  In order to activate the transfer of packets from the nucleus, it is necessary to assign this in firewall, for example by the command:
  iptables -A FORWARD -j ULOG --ulog-nlgroup NLx ...
  nlgroup NLx äîëæíî áûòü â ãðàíèöàõ 1-32

General

• A.B.C.D
  flow NetFlow will go from host (router) with IP-address of source A.B.C.D to local UDP-port 20001 or that, which will be indicated in command listen
• ifname [promisc]
  the name of the local net interface, on which will be seized the passing packets
  If is indicated flag promisc, then interface will be placed in promisc mode. Bye default - it is not indicated.

listen { 0 | ip } port_number

Are assigned IP the address and UDP-port, to which will start packets NetFlow from the information source about the traffic (collector).

clock  { remote | local }

He indicates, what value of the current time of the creation of packet to use for the recording of information onto the base - local or indicated in NetFlow- communication.

layer7-detect { none | urls }

Will enable URL detection in traffic which passes this data-source. Valid values are "none" (disabled) or "urls". In latter case, first few packets with the destionation ports 80, 81, 8080, 8000, 3128 will be observer to look for Host: and GET fields. This data will be passed to monitoring service, if desired (new column "layer7" in "monitor" table).

rule ID rule_string

Is assigned the system rule, according to which the data will fall into the program:

• ID
  the number of rule, for Linux does not have a sense since rule they are placed in the end of the chain
  
• rule_string
  the rule in the form of text line, which will be transmitted to system (Linux or FreeBSD) for the installation of the interceptor of packets.

no rule ID 

Abolishes rule with number ID.