What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How can I change the default groups and channels for flow and Packet Sniffer sensors?

Votes:

1

I would like to adjust the available groups and channels in the channel configuration of the default Packet Sniffer and flow sensors. Furthermore, I would like to remove groups and channels that are not suitable for my network setup from the channel selection and add my own definitions to it.

How can I change the default channel configuration settings so that I do not have to create an individual custom Flow or Packet Sniffer sensor each time to make it applicable to my network?

channel-configuration customize flow netflow packet-sniffer prtg sflow

Created on Apr 15, 2014 3:04:53 PM by  Gerald Schoch [Paessler Support]

Last change on Dec 2, 2021 8:07:24 AM by  Maike Guba [Paessler Support] (2,404) 2 1



9 Replies

Accepted Answer

Votes:

1

This article applies as of PRTG 22

Adjusting the default flow and Packet Sniffer channel configuration

The default flow (jFlow v5, NetFlow v5, NetFlow v9, IPFIX, sFlow) and Packet Sniffer sensors provide several categories to which you can also account the measured traffic. You can define if a traffic group counts as a separate channel (or is assigned to a standard channel) and if the traffic of this group is further divided into individual channels.

By default, PRTG creates one channel for each available group:

Channel selection
Click to enlarge.

Since the default channel selection might not be suitable for certain use cases, you can edit the flow rules to get a new custom default channel configuration. This also allows you to:

  • adjust default settings for the channel groups: create one channel for the whole traffic group (Yes), or create several channels to further divide them (Detail), or do not create any channel and count the traffic of this group for the default channel Other Protocols (No) by default.
  • enhance existing channels, for example, if ports other than the default ports are used.
  • add new groups and channels that you often use: this is easier and faster than to define them in custom flow and Packet Sniffer sensors.
  • remove channels that you do not need or that are not applicable to your setup.

How to edit flow rules

To change the default groups and channels, follow the steps below to edit the FlowRules.osr file.

Note: If you edit this file, all flow and Packet Sniffer sensors are changed. This also applies to sensors that already exist. Also note that changing the detail level Yes, No, or Detail only affects sensors that are newly created. We strongly recommend that you test any changes in a test environment before you apply them to your live installation. If you delete FlowRules.osr, PRTG uses the default settings again.

  • Find FlowRules.osr in your PRTG program directory.
  • Create a copy of the file FlowRules.osr and rename the copy to CustomFlowRules.osr. This way, you prevent the installer from overwriting your custom rules when updating PRTG. Note that PRTG overwrites the FlowRules.osr file as soon as a file named CustomFlowRules.osr exists. Any differently named OSR file is disregarded.
  • Open the created file CustomFlowRules.osr with a text editor.
  • When editing the file, keep the channel and group IDs as they are. If you do not change the IDs, PRTG can match the channels with the configuration and historic data.
  • The definitions are processed starting at the topmost entry consecutively to the bottom. Because of this, we recommend that you first define specific rules and then more general rules (for example, the Various traffic group).
  • You can individually define the default setting for each group about how detailed the traffic is split into channels with a default value. See below for more information.
  • For details on the syntax of the filter rules, see PRTG Manual: Filter Rules for Flow, IPFIX, and Packet Sniffer Sensors.
  • Restart the PRTG core server so that the changes to the flow rules take effect.

Structure of the flow rules file

The basic structure of the file with the flow rules looks like this:

<!-- explanation -->
<?xml declaration>
<groups>
	<group id="unique integer" name="unique name">
		<caption>displayed group name</caption>
		<help>displayed text for content</help>
		<defaultvalue>0, 1, or 2</defaultvalue>
		<channels>
			<channel id="unique integer" name="displayed channel name">
				<rule>traffic filter rule</rule>
			</channel>
			[several other channel definitions]
		</channels>
	</group>
	[several other group definitions]
</groups>
  • The default FlowRules.osr file starts with an explanation of the flow rules’ functionality between the comment tags <!-- and -->. Keep this in CustomFlowRules.osr to always have a quick overview about how to edit the file.
  • The <?xml> tag defines the content as XML.
  • In the <groups> tag, all groups and their channels are defined.
  • Each group is defined within one dedicated <group> tag. Each group needs a unique ID (which you should not change for existing groups) and a unique name to identify this group.
  • A group definition contains the following:
    • <caption>: The caption is shown in the Group column of the sensors’ channel configuration.
    • <help>: The help text is shown in the Content column in front of the actual channel names.
    • <defaultvalue>: This sets the default setting for traffic division. You can use
      • 1 for the Yes setting (create one channel for the traffic group),
      • 2 for the Detail setting (create several channels to further divide the traffic),
      • 0 for the No setting (traffic of this group counts for the Other channel).
    • <channels>: Define the channels of a traffic group in this tag.
  • The <channel> tag contains single channel definitions with the corresponding traffic rules.
    • One channel definition is given in one <channel> tag. This tag contains parameters for a unique ID (which you should not change for existing channels) and for a name that is displayed for this channel.
    • In the <channel> tag, define the filter rule for this channel in the <rule> tag. For the syntax, see the PRTG Manual: Filter Rules for Flow, IPFIX, and Packet Sniffer Sensors.

Created on Apr 15, 2014 3:14:37 PM by  Gerald Schoch [Paessler Support]

Last change on Jan 4, 2023 11:52:09 AM by  Brandy Greger [Paessler Support]



Votes:

1

Hello, We are currently using custom flows definition, but we are experiencing an anoying behavior. We've been giving a try to Netflow sensors on PRTG, which we found quite useful. But we also decided to customize it a bit using the customnetflowrules.osr definition file. This being said, it worked well, until we realized that the sensors created before using hte customflowrules.osr file was not displaying the new channels on existing netflow data, although the channel was present in the settings. Now each time we edit the customflowrules.osr, we have to re-create the netflow (v9) sensors to map the data to the edited channels. Which is very painful when runing 200+ netflow sensors. Is there any way not to recreate manually the sensors everytime we edit the custom channels? Or maybe "restarting" the channel among netflow data?

Created on Feb 9, 2016 1:37:30 PM



Votes:

0

Hello prtg_pew, thank you for your feedback.

When editing the flowrules.osr file, keep the channel and group IDs as they are. If you do not change the IDs, PRTG can match the channels with the configuration and historic data. If you for instance delete or rename a group existing sensors may not update those changes correctly as sensor channel's can't be modified/deleted.

You should always "experiment" by using a flow (custom) sensor variant, once you're "satisfied" with your flow definition update the standard flowrules file and then deploy the final sensors, otherwise you may need to delete and re-create your flow sensors multiple times.

Best Regards,

Created on Feb 10, 2016 2:33:23 PM by  Luciano Lingnau [Paessler]

Last change on Dec 2, 2021 8:09:02 AM by  Maike Guba [Paessler Support] (2,404) 2 1



Votes:

0

Hello, I'm testing PRTG version 16.2.24.3791.

I'm having some issues adjusting the default xFlow and Packet Sniffer Channel Configuration for a Packet Sniffer Sensor.

First of all, i found in the default FlowRules.osr file that the channel ID for HTTPS and Citrix were the same Channel id="1023", could you please let me know if this is correct as it is said that the Channel id should be Unique.

I've created a customflowrules.osr as specified and added the following channels but after restart of the PRTG server it is not showing on the sensor, could you please help.

<!--
This file is used for the filter settings of all not custom flow sensors (Packet Sniffer, NetFlow V5 & V9, IPFIX, sFlow).
Copy this file to "CustomFlowRules.osr" to prevent the installer from overriding your changes on the next update.
Changes affect existing sensors! Check all changes in a testing environment before using productive.
Channel and group IDs should stay the same so PRTG can match the channels with the configuration and historic data.
"defaultvalue" setting for groups: 0=no 1=yes 2=detail
As with custom rule settings the channels are processed top to bottom. Specific rules should be before more general rules like the "Various" rule.
For the rule syntax check the PRTG manual.
-->
<?xml version="1.0" encoding="ISO8859-1"?>
<groups>
  <group id="3001" name="WWW">
    <caption>Web</caption>
    <help>WWW Traffic</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1001" name="HTTP">
        <rule>
            Protocol[TCP] 
               and ( SourcePort[80] or DestinationPort[80] 
                      or SourcePort[8080] or DestinationPort[8080])
          </rule>
      </channel>
      <channel id="1023" name="HTTPS">
        <rule>
            Protocol[TCP] and (SourcePort[443] or DestinationPort[443]) 
          </rule>
      </channel>
    </channels>
  </group>
  <group id="3002" name="FTP/P2P">
    <caption>File Transfer</caption>
    <help>File Transfer</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1024" name="FTP (Control)">
        <rule>
            Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21])
          </rule>
      </channel>
    </channels>
  </group>
  <group id="3003" name="Mail">
    <caption>Mail</caption>
    <help>Mail Traffic</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1006" name="IMAP">
        <rule>
            (Protocol[TCP] or Protocol[UDP]) and   ( DestinationPort[143] or SourcePort[143]  or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993]  )
          </rule>
      </channel>
      <channel id="1008" name="POP3">
        <rule>
            Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995])
          </rule>
      </channel>
      <channel id="1011" name="SMTP">
        <rule>
            Protocol[TCP] and (SourcePort[25] or DestinationPort[25] or SourcePort[587] or DestinationPort[587])
          </rule>
      </channel>
    </channels>
  </group>
  <group id="3004" name="Chat">
    <caption>Chat</caption>
    <help>Chat, Instant Messaging</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1007" name="IRC">
        <rule>
            Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667])
          </rule>
      </channel>
      <channel id="1025" name="AIM">
        <rule>
            Protocol[TCP] and (SourcePort[5190] or DestinationPort[5190]) 
      </rule>
      </channel>
    </channels>
  </group>
  <group id="3005" name="Remote Control">
    <caption>Remote Control</caption>
    <help>Remote Control</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1009" name="RDP">
        <rule>
            (Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389])
          </rule>
      </channel>
      <channel id="1014" name="SSH">
        <rule>
            Protocol[TCP] and (SourcePort[22] or DestinationPort[22])
          </rule>
      </channel>
      <channel id="1016" name="Telnet">
        <rule>
            Protocol[TCP] and (SourcePort[23] or DestinationPort[23])
          </rule>
      </channel>
      <channel id="1017" name="VNC">
        <rule>
            Protocol[TCP] and   (SourcePort[5800] or DestinationPort[5800] or    SourcePort[5900] or DestinationPort[5900])
          </rule>
      <channel id="9000" name="Dameware">
        <rule>
            Protocol[TCP] and   (SourcePort[6129] or DestinationPort[6129])
          </rule>		  
      </channel>
    </channels>
  </group>
  <group id="3007" name="Infrastructure">
    <caption>Infrastructure</caption>
    <help>Network Services</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1003" name="DHCP">
        <rule>
            Protocol[UDP]
              and ((SourcePort[68] and DestinationPort[67])
                    or (SourcePort[67] and DestinationPort[68])  )
          </rule>
      </channel>
      <channel id="1004" name="DNS">
        <rule>
            (Protocol[TCP] or Protocol[UDP]) and   (SourcePort[53] or DestinationPort[53])
          </rule>
      </channel>
      <channel id="1005" name="Ident">
        <rule>
            Protocol[TCP] and (SourcePort[113] or DestinationPort[113])
          </rule>
      </channel>
      <channel id="1018" name="ICMP">
        <rule>
            Protocol[ICMP]
          </rule>
      </channel>
      <channel id="1012" name="SNMP">
        <rule>
            Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162])
          </rule>
      </channel>
    </channels>
  </group>
  <group id="3008" name="NetBIOS">
    <caption>NetBIOS</caption>
    <help>NetBIOS</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1019" name="NETBIOS">
        <rule>
            (Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139]  OR SourcePort[137-139])
          </rule>
      </channel>
    </channels>
  </group>
  <group id="3010" name="Citrix">
    <caption>Citrix</caption>
    <help>Citrix</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1026" name="Citrix">
        <rule>
          Protocol[TCP] and (Port[1494] or Port[2598] or Port[2512])
        </rule>
      </channel>
    </channels>
  </group>
  <group id="3011" name="Voice">
    <caption>Voix</caption>
    <help>Voice</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1026" name="SIP">
        <rule>
          Protocol[TCP] and (Port[5060])
        </rule>
      <channel id="1027" name="H323TCP">
        <rule>
          Protocol[TCP] and (Port[1720])
        </rule>
      <channel id="1028" name="H323UDP">
        <rule>
          Protocol[UDP] and (Port[1719])
        </rule>
      <channel id="1029" name="AVAYAUDP">
        <rule>
          Protocol[UDP] and (Port[2048-3329])
        </rule>
      <channel id="1030" name="AVAYATCP">
        <rule>
          Protocol[TCP] and (Port[13926])
        </rule>				
	  <channel id="1031" name="RTP">
        <rule>
          Protocol[UDP] and (Port[2048-3329] or Port[1024-65535])
        </rule>
      </channel>
    </channels>
  </group>
  
  <group id="3009" name="Various">
    <caption>Other Protocols</caption>
    <help>Various</help>
    <defaultvalue>1</defaultvalue>
    <channels>
     <channel id="1021" name="OtherUDP">
        <rule>
            Protocol[UDP]
          </rule>
      </channel>
      <channel id="1022" name="OtherTCP">
        <rule>
            Protocol[TCP]
          </rule>
      </channel>
    </channels>
  </group>
</groups>

Created on Jun 16, 2016 8:04:06 PM

Last change on Jun 17, 2016 6:07:37 AM by  Luciano Lingnau [Paessler]



Votes:

0

Please check the following:

      <channel id="1017" name="VNC">
        <rule>
            Protocol[TCP] and   (SourcePort[5800] or DestinationPort[5800] or    SourcePort[5900] or DestinationPort[5900])
          </rule>
      <channel id="9000" name="Dameware">
        <rule>
            Protocol[TCP] and   (SourcePort[6129] or DestinationPort[6129])
          </rule>		  
      </channel>

You're no closing the <channel> for id=1017. The same issue also happens a couple of times for group id="3011". You can use any XML Validator of your preference to validate the syntax of your file, it must comply to the XML syntax. Leave the "header" out when validating the XML:

<!--
This file is used for the filter settings of all not custom flow sensors (Packet Sniffer, NetFlow V5 & V9, IPFIX, sFlow).
Copy this file to "CustomFlowRules.osr" to prevent the installer from overriding your changes on the next update.
Changes affect existing sensors! Check all changes in a testing environment before using productive.
Channel and group IDs should stay the same so PRTG can match the channels with the configuration and historic data.
"defaultvalue" setting for groups: 0=no 1=yes 2=detail
As with custom rule settings the channels are processed top to bottom. Specific rules should be before more general rules like the "Various" rule.
For the rule syntax check the PRTG manual.
-->



Best Regards,
Luciano Lingnau [Paessler Support]

Created on Jun 17, 2016 8:37:42 AM by  Luciano Lingnau [Paessler]

Last change on Jun 17, 2016 8:37:56 AM by  Luciano Lingnau [Paessler]



Votes:

0

This looks like it would be the solution we're looking for. I copied the default FlowRules to CustomFlowRules, added a few groups/channels that I need to monitor and restarted services. The content XML validates fine.

In the PRTG GUI, I can see the new channels show up in the Channel Configuration of the default NetFlow sensor and they are selected yes or detail, but only one out of the 5 or 6 new groups/channels show up in any graphs or tables. If I go to Edit Settings > Channel Settings, only the default Channels plus my one custom one show up, none of the additional groups that I added show up.

How can I get the rest of my custom Groups/channels to show up?

Thanks!

Created on Dec 20, 2016 11:01:13 PM



Votes:

0

Hello there, thank you for your post.

The channels will only be created within the graphs/tables when there is data that matches the channel's definition, otherwise it is "left out".

[...]only the default Channels plus my one custom one show up

Did you take this into consideration when modifying the file:

[...]adjust default settings for the channel groups: create one channel for the whole traffic group (“Yes”), or create several channels to further divide them (“Detail”), or do not create any channel and count the traffic of this group for the default channel “Other” (“No”) by default.

Please contact us via a support ticket and share the modified customflowrules.osr file once you receive the confirmation e-mail.

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Dec 21, 2016 12:14:11 PM by  Luciano Lingnau [Paessler]



Votes:

0

Hello- Do I need a probe for NetFlow or can I add the sensor in my PRTG host?

Created on Mar 23, 2020 2:03:14 PM



Votes:

0

You can add the Sensor to any device on any Probe, but the traffic must be sent to the same.

Created on Mar 23, 2020 8:00:09 PM by  Stephan Linke [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.