New Question
 

Back to www.paessler.com

 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>
 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


Can I add custom channels to standard Packet Sniffer and NetFlow sensors?

Votes:

2

Your Vote:

Up

Down

I would like to add my own channels to an existing Packet Sniffer or xFlow (NetFlow, sFlow) sensor. Is this possible?

custom-channel netflow packet-sniffing prtg sflow xflow

Created on Mar 10, 2010 9:39:38 AM by Daniel Zobel [Product Manager]

Last change on Mar 12, 2010 11:40:34 AM by Daniel Zobel [Product Manager]



12 Replies

Accepted Answer

Votes:

3

Your Vote:

Up

Down

Update for PRTG Network Monitor 14.1.10 or later

As of PRTG version 14.1.10, you can edit the default traffic groups and channels of the standard xFlow and Packet Sniffer sensors. These changes also apply to already existing sensors.

For details, please see the article How can I change the default groups and channels for xFlow and Packet Sniffer sensors?.

With this method, you can also add custom channels to the available sensors without using custom sensors. However, you can still use the approach as given below.

This article applies to PRTG Network Monitor 19 or later, as well as to previous (deprecated) versions.

Unfortunately, it's not possible to add custom channels to existing Packet Sniffer / xFlow sensors until PRTG version 14.1.10 (see above). But there is another solution:

Creating a custom Packet Sniffer / xFlow sensor with standard channels plus your own definitions

You can create a new custom sensor that uses the default channels plus your own channel definitions:

Step 1: Create a custom sensor

  • Depending on what you need, create a custom Packet Sniffer or custom NetFlow / sFlow sensor in the PRTG web interface.
  • When using NetFlow, fill in the required fields "Netflow Port" and "Active Flow Timeout".

Step 2: Copy the required default channels

Copy the required default channels (see below) into the "Channel Definition" box. There are two sets, the "Group" and the "Detail" definitions.

Group definitions:

#3001:WWW
(Protocol[TCP] and ( SourcePort[80] or DestinationPort[80] or SourcePort[8080] or DestinationPort[8080])) OR (Protocol[TCP] and (SourcePort[443] or DestinationPort[443]))

#3002:FTP/P2P
(Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21]))

#3003:Mail
((Protocol[TCP] or Protocol[UDP]) and ( DestinationPort[143] or SourcePort[143] or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993] )) OR (Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995])) OR (Protocol[TCP] and (SourcePort[25] or DestinationPort[25]))

#3004:Chat
(Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667])) OR (Protocol[TCP] and (SourcePort[5190] or DestinationPort[5190]))

#3005:Remote Control
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389])) OR (Protocol[TCP] and (SourcePort[22] or DestinationPort[22])) OR (Protocol[TCP] and (SourcePort[23] or DestinationPort[23])) OR (Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900]))

#3007:Infrastructure
(Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68]) )) OR ((Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53])) OR (Protocol[TCP] and (SourcePort[113] or DestinationPort[113])) OR (Protocol[ICMP]) OR (Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162]))

#3008:NetBIOS
((Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139] OR SourcePort[137-139]))

#3009:Various
(Protocol[UDP]) OR (Protocol[TCP])

Detail definitions:

#1001:HTTP
Protocol[TCP] and ( SourcePort[80] or DestinationPort[80] or SourcePort[8080] or DestinationPort[8080])

#1023:HTTPS
Protocol[TCP] and (SourcePort[443] or DestinationPort[443])

#1024:FTP (Control)
Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21])

#1006:IMAP
(Protocol[TCP] or Protocol[UDP]) and ( DestinationPort[143] or SourcePort[143] or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993] )

#1008:POP3
Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995])

#1011:SMTP
Protocol[TCP] and (SourcePort[25] or DestinationPort[25])

#1007:IRC
Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667])

#1025:AIM
Protocol[TCP] and (SourcePort[5190] or DestinationPort[5190])

#1009:RDP
(Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389])

#1014:SSH
Protocol[TCP] and (SourcePort[22] or DestinationPort[22])

#1016:Telnet
Protocol[TCP] and (SourcePort[23] or DestinationPort[23])

#1017:VNC
Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900])

#1003:DHCP
Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68]) )

#1004:DNS
(Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53])

#1005:Ident
Protocol[TCP] and (SourcePort[113] or DestinationPort[113])

#1018:ICMP
Protocol[ICMP]

#1012:SNMP
Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162])

#3008:NetBIOS
((Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139] OR SourcePort[137-139]))

#3010:Citrix
Protocol[TCP] and (Port[1494] or Port[2598] or Port[2512])

#1021:OtherUDP
Protocol[UDP]

#1022:OtherTCP
Protocol[TCP]

Step 3: Add your own channels

Add your own channels to the default definitions in the "Channel Definition" box.

  • Your own channels are usually more specific and therefore these channel definitions should be inserted before the more generic definitions. Any traffic is only accounted in the first channel that matches the filter.
  • Make sure that you use unique channel numbers when adding your sensors!

Step 4: Save and test

Click on Continue to create the sensor and test it.

See also

How do the channel definitions for custom Packet Sniffing, xFlow, and IPFIX sensors work?

Created on Mar 10, 2010 9:52:52 AM by Daniel Zobel [Product Manager]

Last change on Dec 4, 2020 3:22:35 PM by Brandy Greger [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Thanks for posting this. If I am reading this right....in case you get 'new' traffic (as in unauthorized application such as file-sharing) PRTG will not map it but just tag it as 'various'. How would you setup a trigger to warn you about it if you can not really investigate what channels the various traffic refers to?The fact that my 'various' or 'other' traffic has increased....don't think so.

Seems like netflow is really underused here or that there needs to be a larger list of port mapping. IMHO all known ports should be in there by default and if nothing is detected then nothing is logged. 4-5 channels is just not enough of traffic info for a router. So, if I may, suggestion to make a script allowing us to check/select ports we want mapped out and generate definitions as seen above. Thanks!

Created on Oct 1, 2010 6:19:53 PM by PriSupport (0)



Votes:

0

Your Vote:

Up

Down

The idea is to define all used ports of the specific system you know (using the custom channels), so a increase in various or other is supicious and should be analyzed.

Defining anything "known" as predefined channels is not simple and can be misleading if ports are used for something else by malicous software.

Created on Oct 5, 2010 12:13:23 PM by Jens Rupp [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I have tried adding new channel definitions to a custom packet sniffer. It seems to allow it but I do not get any new channels under the channel tab, hence any matches I might get are not shown in a color on the graph, and I do not get a color key for the new definition. What am I doing wrong?

Created on Nov 20, 2010 1:28:30 AM by nicknack (0)



Votes:

0

Your Vote:

Up

Down

I wrote previuosly that I could not get the above to work. However it does seem to be working now. But it takes absolutely ages for any new channels to take affect. Is there any way of speeding this up? I have tried pausing and resuming without success.

Created on Nov 20, 2010 5:57:54 PM by nicknack (0)



Votes:

1

Your Vote:

Up

Down

Heres my very simple list of names for ports (you can paste this right into a new custom sflow sensor channel config):

#7:Echo
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[7] or DestinationPort[7]))

#19:Chargen
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[19] or DestinationPort[19]))

#20:FTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[20] or DestinationPort[20]))

#21:FTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[21] or DestinationPort[21]))

#22:SSHSCP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[22] or DestinationPort[22]))

#23:Telnet
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[23] or DestinationPort[23]))

#25:SMTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[25] or DestinationPort[25]))

#42:WINSReplication
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[42] or DestinationPort[42]))

#43:WHOIS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[43] or DestinationPort[43]))

#49:TACACS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[49] or DestinationPort[49]))

#53:DNS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53]))

#67:DHCPBOOTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[67] or DestinationPort[67]))

#68:DHCPBOOTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[68] or DestinationPort[68]))

#69:TFTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[69] or DestinationPort[69]))

#70:Gopher
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[70] or DestinationPort[70]))

#79:Finger
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[79] or DestinationPort[79]))

#80:HTTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[80] or DestinationPort[80]))

#88:Kerberos
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[88] or DestinationPort[88]))

#102:MSExchange
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[102] or DestinationPort[102]))

#110:POP3
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[110] or DestinationPort[110]))

#113:Ident
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[113] or DestinationPort[113]))

#119:NNTPUsenet
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[119] or DestinationPort[119]))

#123:NTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[123] or DestinationPort[123]))

#135:MicrosoftRPC
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[135] or DestinationPort[135]))

#137:NetBIOS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[137] or DestinationPort[137]))

#139:NetBIOS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[139] or DestinationPort[139]))

#143:IMAP4
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[143] or DestinationPort[143]))

#161:SNMP
((Protocol[UDP] or Protocol[UDP]) and (SourcePort[161] or DestinationPort[161]))

#162:SNMP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[162] or DestinationPort[162]))

#177:XDMCP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[177] or DestinationPort[177]))

#179:BGP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[179] or DestinationPort[179]))

#201:AppleTalk
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[201] or DestinationPort[201]))

#264:BGMP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[264] or DestinationPort[264]))

#318:TSP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[318] or DestinationPort[318]))

#381:HPOpenview
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[381] or DestinationPort[381]))

#382:HPOpenview
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[382] or DestinationPort[382]))

#383:HPOpenview
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[383] or DestinationPort[383]))

#389:LDAP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[389] or DestinationPort[389]))

#411:DirectConnect
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[411] or DestinationPort[411]))

#412:DirectConnect
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[412] or DestinationPort[412]))

#443:HTTPoverSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[443] or DestinationPort[443]))

#445:MicrosoftDS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[445] or DestinationPort[445]))

#464:Kerberos
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[464] or DestinationPort[464]))

#465:SMTPoverSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[465] or DestinationPort[465]))

#497:Retrospect
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[497] or DestinationPort[497]))

#500:ISAKMP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[500] or DestinationPort[500]))

#512:rexec
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[512] or DestinationPort[512]))

#513:rlogin
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[513] or DestinationPort[513]))

#514:syslog
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[514] or DestinationPort[514]))

#515:LPDLPR
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[515] or DestinationPort[515]))

#520:RIP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[520] or DestinationPort[520]))

#521:RIPngIPv6
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[521] or DestinationPort[521]))

#540:UUCP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[540] or DestinationPort[540]))

#554:RTSP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[554] or DestinationPort[554]))

#546:DHCPv6
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[546] or DestinationPort[546]))

#547:DHCPv6
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[547] or DestinationPort[547]))

#560:rmonitor
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[560] or DestinationPort[560]))

#563:NNTPoverSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[563] or DestinationPort[563]))

#587:SMTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[587] or DestinationPort[587]))

#591:FileMaker
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[591] or DestinationPort[591]))

#593:MicrosoftDCOM
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[593] or DestinationPort[593]))

#631:InternetPrinting
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[631] or DestinationPort[631]))

#636:LDAPoverSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[636] or DestinationPort[636]))

#639:MSDPPIM
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[639] or DestinationPort[639]))

#646:LDPMPLS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[646] or DestinationPort[646]))

#691:MSExchange
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[691] or DestinationPort[691]))

#860:iSCSI
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[860] or DestinationPort[860]))

#873:rsync
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[873] or DestinationPort[873]))

#902:VMwareServer
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[902] or DestinationPort[902]))

#989:FTPOverSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[989] or DestinationPort[989]))

#990:FTPoverSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[990] or DestinationPort[990]))

#993:IMAP4overSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[993] or DestinationPort[993]))

#995:POP3overSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[995] or DestinationPort[995]))

#1025:MicrosoftRPCORaim
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1025] or DestinationPort[1025]))

#1080:SOCKSProxyORMyDoom
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1080] or DestinationPort[1080]))

#1194:OpenVPN
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1194] or DestinationPort[1194]))

#1214:Kazaa
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1214] or DestinationPort[1214]))

#1241:Nessus
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1241] or DestinationPort[1241]))

#1311:DellOpenManage
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1311] or DestinationPort[1311]))

#1337:WASTE
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1337] or DestinationPort[1337]))

#1433:MicrosoftSQL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1433] or DestinationPort[1433]))

#1434:MicrosoftSQL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1434] or DestinationPort[1434]))

#1512:WINS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1512] or DestinationPort[1512]))

#1589:CiscoVQP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1589] or DestinationPort[1589]))

#1701:L2TP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1701] or DestinationPort[1701]))

#1723:MSPPTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1723] or DestinationPort[1723]))

#1725:Steam
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1725] or DestinationPort[1725]))

#1741:CiscoWorks2000
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1741] or DestinationPort[1741]))

#1755:MSMediaServer
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1755] or DestinationPort[1755]))

#1812:RADIUS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1812] or DestinationPort[1812]))

#1813:RADIUS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1813] or DestinationPort[1813]))

#1863:MSN
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1863] or DestinationPort[1863]))

#1985:CiscoHSRP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1985] or DestinationPort[1985]))

#2000:CiscoSCCP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2000] or DestinationPort[2000]))

#2002:CiscoACS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2002] or DestinationPort[2002]))

#2049:NFS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2049] or DestinationPort[2049]))

#2100:OracleXDB
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2100] or DestinationPort[2100]))

#2222:DirectAdmin
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2222] or DestinationPort[2222]))

#2302:Halo
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2302] or DestinationPort[2302]))

#2745:BagleH
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2745] or DestinationPort[2745]))

#2967:SymantecAV
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2967] or DestinationPort[2967]))

#3050:InterbaseDB
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3050] or DestinationPort[3050]))

#3074:XBOXLive
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3074] or DestinationPort[3074]))

#3124:HTTPProxy
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3124] or DestinationPort[3124]))

#3127:MyDoom
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3127] or DestinationPort[3127]))

#3128:HTTPProxy
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3128] or DestinationPort[3128]))

#3222:GLBP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3222] or DestinationPort[3222]))

#3260:iSCSITarget
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3260] or DestinationPort[3260]))

#3306:MySQL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3306] or DestinationPort[3306]))

#3389:TerminalServer
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389]))

#3689:iTunes
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3689] or DestinationPort[3689]))

#3690:Subversion
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3690] or DestinationPort[3690]))

#3724:WorldofWarcraft
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3724] or DestinationPort[3724]))

#4333:mSQL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[4333] or DestinationPort[4333]))

#4444:Blaster
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[4444] or DestinationPort[4444]))

#4664:GoogleDesktop
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[4664] or DestinationPort[4664]))

#4672:eMule
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[4672] or DestinationPort[4672]))

#4899:Radmin
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[4899] or DestinationPort[4899]))

#5000:UPnP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5000] or DestinationPort[5000]))

#5001:SlingboxORiperf
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5001] or DestinationPort[5001]))

#5004:RTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5004] or DestinationPort[5004]))

#5005:RTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5005] or DestinationPort[5005]))

#5050:YahooMessenger
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5050] or DestinationPort[5050]))

#5060:SIP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5060] or DestinationPort[5060]))

#5190:AIMICQ
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5190] or DestinationPort[5190]))

#5432:PostgreSQL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5432] or DestinationPort[5432]))

#5500:VNCServer
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5500] or DestinationPort[5500]))

#5554:Sasser
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5554] or DestinationPort[5554]))

#5631:pcAnywhere
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5631] or DestinationPort[5631]))

#5632:pcAnywhere
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5632] or DestinationPort[5632]))

#5800:VNCoverHTTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5800] or DestinationPort[5800]))

#6112:Battlenet
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6112] or DestinationPort[6112]))

#6129:DameWare
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6129] or DestinationPort[6129]))

#6257:WinMX
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6257] or DestinationPort[6257]))

#6346:Gnutella
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6346] or DestinationPort[6346]))

#6347:Gnutella
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6347] or DestinationPort[6347]))

#6500:GameSpyArcade
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6500] or DestinationPort[6500]))

#6566:SANE
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6566] or DestinationPort[6566]))

#6588:AnalogX
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6588] or DestinationPort[6588]))

#6699:Napster
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6699] or DestinationPort[6699]))

#6970:Quicktime
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6970] or DestinationPort[6970]))

#7212:GhostSurf
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[7212] or DestinationPort[7212]))

#8000:InternetRadio
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8000] or DestinationPort[8000]))

#8080:HTTPProxy
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8080] or DestinationPort[8080]))

#8086:KasperskyAV
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8086] or DestinationPort[8086]))

#8087:KasperskyAV
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8087] or DestinationPort[8087]))

#8118:Privoxy
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8118] or DestinationPort[8118]))

#8200:VMwareServer
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8200] or DestinationPort[8200]))

#8500:AdobeColdFusion
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8500] or DestinationPort[8500]))

#8767:TeamSpeak
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8767] or DestinationPort[8767]))

#8866:BagleB
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8866] or DestinationPort[8866]))

#9100:HPJetDirect
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[9100] or DestinationPort[9100]))

#9119:MXit
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[9119] or DestinationPort[9119]))

#9800:WebDAV
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[9800] or DestinationPort[9800]))

#9898:Dabber
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[9898] or DestinationPort[9898]))

#9988:RbotSpybot
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[9988] or DestinationPort[9988]))

#9999:Urchin
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[9999] or DestinationPort[9999]))

#10000:WebminORBackupExec
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[10000] or DestinationPort[10000]))

#11371:OpenPGP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[11371] or DestinationPort[11371]))

#12345:NetBus
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[12345] or DestinationPort[12345]))

#14567:Battlefield
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[14567] or DestinationPort[14567]))

#15118:DipnetOddbob
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[15118] or DestinationPort[15118]))

#19226:AdminSecure
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[19226] or DestinationPort[19226]))

#19638:Ensim
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[19638] or DestinationPort[19638]))

#20000:Usermin
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[20000] or DestinationPort[20000]))

#24800:Synergy
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[24800] or DestinationPort[24800]))

#25999:Xfire
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[25999] or DestinationPort[25999]))

#27015:HalfLife
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[27015] or DestinationPort[27015]))

#27374:Sub7
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[27374] or DestinationPort[27374]))

#28960:CallofDuty
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[28960] or DestinationPort[28960]))

#31337:BackOrifice
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[31337] or DestinationPort[31337]))


#3001:WWW
(Protocol[TCP] and ( SourcePort[80] or DestinationPort[80] or SourcePort[8080] or DestinationPort[8080])) OR (Protocol[TCP] and (SourcePort[443] or DestinationPort[443]))

#3002:FTP/P2P
(Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21]))

#3003:Mail
((Protocol[TCP] or Protocol[UDP]) and ( DestinationPort[143] or SourcePort[143] or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993] )) OR (Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995])) OR (Protocol[TCP] and (SourcePort[25] or DestinationPort[25]))

#3004:Chat
(Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667])) OR (Protocol[TCP] and (SourcePort[5190] or DestinationPort[5190]))

#3005:Remote Control
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389])) OR (Protocol[TCP] and (SourcePort[22] or DestinationPort[22])) OR (Protocol[TCP] and (SourcePort[23] or DestinationPort[23])) OR (Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900]))

#3007:Infrastructure
(Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68]) )) OR ((Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53])) OR (Protocol[TCP] and (SourcePort[113] or DestinationPort[113])) OR (Protocol[ICMP]) OR (Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162]))

#3008:NetBIOS
((Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139] OR SourcePort[137-139]))

#3009:Various
(Protocol[UDP]) OR (Protocol[TCP])

#1001:HTTP
Protocol[TCP] and ( SourcePort[80] or DestinationPort[80] or SourcePort[8080] or DestinationPort[8080])

#1023:HTTPS
Protocol[TCP] and (SourcePort[443] or DestinationPort[443])

#1024:FTP (Control)
Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21])

#1006:IMAP
(Protocol[TCP] or Protocol[UDP]) and ( DestinationPort[143] or SourcePort[143] or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993] )

#1008:POP3
Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995])

#1011:SMTP
Protocol[TCP] and (SourcePort[25] or DestinationPort[25])

#1007:IRC
Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667])

#1009:RDP
(Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389])

#1014:SSH
Protocol[TCP] and (SourcePort[22] or DestinationPort[22])

#1016:Telnet
Protocol[TCP] and (SourcePort[23] or DestinationPort[23])

#1017:VNC
Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900])

#1003:DHCP
Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68]) )

#1004:DNS
(Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53])

#1005:Ident
Protocol[TCP] and (SourcePort[113] or DestinationPort[113])

#1018:ICMP
Protocol[ICMP]

#1012:SNMP
Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162])

#1021:OtherUDP
Protocol[UDP]

#1022:OtherTCP
Protocol[TCP]

Created on Jan 12, 2015 9:05:48 PM by paul hill (10)

Last change on Feb 18, 2015 8:03:05 AM by Felix Saure [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Thank you very much for sharing this detailed config!

Created on Jan 13, 2015 7:30:07 AM by Felix Saure [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi:

Please notice that in the "Detailed Definition" listed above SNMP traffic should be defined as Protocol[UDP], NOT Protocol[TCP]. I was just copying that list for using it in one of my NetFlow custom sensors and realised about it.

Created on Feb 17, 2015 1:02:20 AM by juaromu (0) 1



Votes:

0

Your Vote:

Up

Down

Thanks juaromu, changed it.

Created on Feb 18, 2015 8:04:04 AM by Felix Saure [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi! Im having a problem when i try to setup my sflow custom sensor. What i want to do is monitor incoming (entrante)/outgoing (saliente) bandwithd of an IP and a specific port. The problem is that no all channels are being drawed, can you help me?

#3001:GW1-Saliente
SourceIP[192.168.14.11] and ( SourcePort[61616] or DestinationPort[61616])
#3002:GW1-Entrante
DestinationIP[192.168.14.11] and ( SourcePort[61616] or DestinationPort[61616])
#3003:GW2-Saliente
SourceIP[192.168.14.12] and ( SourcePort[61616] or DestinationPort[61616])
#3004:GW2-Entrante
DestinationIP[192.168.14.12] and ( SourcePort[61616] or DestinationPort[61616])
#3005:GW3-Saliente
SourceIP[192.168.14.13] and ( SourcePort[61616] or DestinationPort[61616])
#3006:GW3-Entrante
DestinationIP[192.168.14.13] and ( SourcePort[61616] or DestinationPort[61616])
#3007:GW4-Saliente
SourceIP[192.168.14.10] and ( SourcePort[61616] or DestinationPort[61616])
#3008:GW4-Entrante
DestinationIP[192.168.14.10] and ( SourcePort[61616] or DestinationPort[61616])
#3009:DB-Saliente
SourceIP[192.168.14.110] and ( SourcePort[61616] or DestinationPort[61616])
#3010:DB-Entrante
DestinationIP[192.168.14.110] and ( SourcePort[61616] or DestinationPort[61616])
#3011:BUS-Saliente
SourceIP[192.168.14.100] and ( SourcePort[61616] or DestinationPort[61616])
#3012:BUS-Entrante
DestinationIP[192.168.14.100] and ( SourcePort[61616] or DestinationPort[61616])
#3013:ME1-Saliente
SourceIP[192.168.14.101] and ( SourcePort[61616] or DestinationPort[61616])
#3014:ME1-Entrante
DestinationIP[192.168.14.101] and ( SourcePort[61616] or DestinationPort[61616])
#3015:ME2-Saliente
SourceIP[192.168.14.102] and ( SourcePort[61616] or DestinationPort[61616])
#3016:ME2-Entrante
DestinationIP[192.168.14.102] and ( SourcePort[61616] or DestinationPort[61616])
#3017:ADMIN-Saliente
SourceIP[192.168.14.105] and ( SourcePort[61616] or DestinationPort[61616])
#3018:ADMIN-Entrante
SourceIP[192.168.14.105] and ( SourcePort[61616] or DestinationPort[61616])
#3019:FIX6-Saliente
SourceIP[192.168.14.16] and ( SourcePort[61616] or DestinationPort[61616])
#3020:FIX6-Entrante
DestinationIP[192.168.14.16] and ( SourcePort[61616] or DestinationPort[61616])
#3021:EXTMKT-Saliente
SourceIP[192.168.14.120] and ( SourcePort[61616] or DestinationPort[61616])
#3022:EXTMKT-Entrante
DestinationIP[192.168.14.120] and ( SourcePort[61616] or DestinationPort[61616])
#3023:Virtual-FIX-123-Saliente
SourceIP[192.168.14.213] and ( SourcePort[61616] or DestinationPort[61616])
#3024:Virtual-FIX-123-Entrante
DestinationIP[192.168.14.213] and ( SourcePort[61616] or DestinationPort[61616])
#3025:Virtual-FIX-ABC-Saliente
SourceIP[192.168.14.214] and ( SourcePort[61616] or DestinationPort[61616])
#3026:Virtual-FIX-ABC-Entrante
DestinationIP[192.168.14.214] and ( SourcePort[61616] or DestinationPort[61616])

If I remove the first 10 channels then the other will appear.

Sorry for my english. Thanks!!

Created on Jun 16, 2016 5:39:45 PM by lmorales2683 (0)

Last change on Jun 17, 2016 6:12:13 AM by Luciano Lingnau [Paessler]



Votes:

0

Your Vote:

Up

Down

Hi,

The filters will be processed in the exact same order as defined in the flowrules.osr. New channels will only be created if a flow packet matches the corresponding filter rule. If there is such a matching packet, this packet will be removed and will not be available for the other channels defined below.

Some of your filters compare the Source IP while other channels filter for the Destination IP. I assume that the packets will be counted to the first filters (matching source- or destination address) so that they do not arrive at the other channels.

Best regards, Felix

Created on Jun 20, 2016 10:45:56 AM by Felix Saure [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Years later, and this is still my go-to custom channel list. Kudos.

Created on Nov 14, 2019 5:38:18 PM by chinson (0)



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.