What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Can I add custom channels to standard Packet Sniffer and NetFlow sensors?

Votes:

2

I would like to add my own channels to an existing Packet Sniffer or flow (NetFlow, sFlow) sensor. Is this possible?

custom-channel flow netflow packet-sniffing prtg sflow

Created on Mar 10, 2010 9:39:38 AM by Daniel Zobel [Product Manager]

Last change on Dec 2, 2021 8:29:30 AM by Maike Guba [Paessler Support] (2,404) 2 1



14 Replies

Accepted Answer

Votes:

3

This article applies as of PRTG 22

Update as of PRTG 14.1.10

As of PRTG 14.1.10, you can edit the default traffic groups and channels of standard flow (jFlow v5, NetFlow v5, NetFlow v9, IPFIX, sFlow) and Packet Sniffer sensors. These changes also apply to already existing sensors.

For details, see the article How can I change the default groups and channels for flow and Packet Sniffer sensors?.

With this method, you can also add custom channels to the available sensors without using custom sensors. However, you can still use the approach as given below.

This article applies to PRTG 19 or later, as well as to previous (deprecated) versions.

It is not possible to add custom channels to existing Packet Sniffer/flow sensors until PRTG 14.1.10 (see above). However, there is another solution:

Creating a custom Packet Sniffer/flow sensor with standard channels and your own definitions

You can create a new custom sensor that uses the default channels and your own channel definitions:

Step 1: Create a custom sensor

  • Depending on what you need, create a custom Packet Sniffer or custom NetFlow/sFlow sensor in PRTG.
  • When using NetFlow, fill in the required fields Receive NetFlow Packets on UDP Port and Active Flow Timeout.

Step 2: Copy the required default channels

Copy the required default channels (see below) into Channel Definition. There are two sets, the Group and the Detail definitions.

Group definitions:

#3001:WWW
(Protocol[TCP] and ( SourcePort[80] or DestinationPort[80] or SourcePort[8080] or DestinationPort[8080])) OR (Protocol[TCP] and (SourcePort[443] or DestinationPort[443]))

#3002:FTP/P2P
(Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21]))

#3003:Mail
((Protocol[TCP] or Protocol[UDP]) and ( DestinationPort[143] or SourcePort[143] or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993] )) OR (Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995])) OR (Protocol[TCP] and (SourcePort[25] or DestinationPort[25]))

#3004:Chat
(Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667])) OR (Protocol[TCP] and (SourcePort[5190] or DestinationPort[5190]))

#3005:Remote Control
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389])) OR (Protocol[TCP] and (SourcePort[22] or DestinationPort[22])) OR (Protocol[TCP] and (SourcePort[23] or DestinationPort[23])) OR (Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900]))

#3007:Infrastructure
(Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68]) )) OR ((Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53])) OR (Protocol[TCP] and (SourcePort[113] or DestinationPort[113])) OR (Protocol[ICMP]) OR (Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162]))

#3008:NetBIOS
((Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139] OR SourcePort[137-139]))

#3009:Various
(Protocol[UDP]) OR (Protocol[TCP])

Detail definitions:

#1001:HTTP
Protocol[TCP] and ( SourcePort[80] or DestinationPort[80] or SourcePort[8080] or DestinationPort[8080])

#1023:HTTPS
Protocol[TCP] and (SourcePort[443] or DestinationPort[443])

#1024:FTP (Control)
Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21])

#1006:IMAP
(Protocol[TCP] or Protocol[UDP]) and ( DestinationPort[143] or SourcePort[143] or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993] )

#1008:POP3
Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995])

#1011:SMTP
Protocol[TCP] and (SourcePort[25] or DestinationPort[25])

#1007:IRC
Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667])

#1025:AIM
Protocol[TCP] and (SourcePort[5190] or DestinationPort[5190])

#1009:RDP
(Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389])

#1014:SSH
Protocol[TCP] and (SourcePort[22] or DestinationPort[22])

#1016:Telnet
Protocol[TCP] and (SourcePort[23] or DestinationPort[23])

#1017:VNC
Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900])

#1003:DHCP
Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68]) )

#1004:DNS
(Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53])

#1005:Ident
Protocol[TCP] and (SourcePort[113] or DestinationPort[113])

#1018:ICMP
Protocol[ICMP]

#1012:SNMP
Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162])

#3008:NetBIOS
((Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139] OR SourcePort[137-139]))

#3010:Citrix
Protocol[TCP] and (Port[1494] or Port[2598] or Port[2512])

#1021:OtherUDP
Protocol[UDP]

#1022:OtherTCP
Protocol[TCP]

Step 3: Add your own channels

Add your own channels to the default definitions in Channel Definition.

  • Your own channels are usually more specific. Therefore, these channel definitions should be inserted before the more generic definitions. Any traffic is only accounted in the first channel that matches the filter.
  • Make sure that you use unique channel numbers when adding your sensors.

Step 4: Save and test

Click Continue to create the sensor and test it.

More

Created on Mar 10, 2010 9:52:52 AM by Daniel Zobel [Product Manager]

Last change on Jan 2, 2023 2:25:50 PM by Brandy Greger [Paessler Support]



Votes:

0

Thanks for posting this. If I am reading this right....in case you get 'new' traffic (as in unauthorized application such as file-sharing) PRTG will not map it but just tag it as 'various'. How would you setup a trigger to warn you about it if you can not really investigate what channels the various traffic refers to?The fact that my 'various' or 'other' traffic has increased....don't think so.

Seems like netflow is really underused here or that there needs to be a larger list of port mapping. IMHO all known ports should be in there by default and if nothing is detected then nothing is logged. 4-5 channels is just not enough of traffic info for a router. So, if I may, suggestion to make a script allowing us to check/select ports we want mapped out and generate definitions as seen above. Thanks!

Created on Oct 1, 2010 6:19:53 PM



Votes:

0

The idea is to define all used ports of the specific system you know (using the custom channels), so a increase in various or other is supicious and should be analyzed.

Defining anything "known" as predefined channels is not simple and can be misleading if ports are used for something else by malicous software.

Created on Oct 5, 2010 12:13:23 PM by Jens Rupp [Paessler Support]



Votes:

0

I have tried adding new channel definitions to a custom packet sniffer. It seems to allow it but I do not get any new channels under the channel tab, hence any matches I might get are not shown in a color on the graph, and I do not get a color key for the new definition. What am I doing wrong?

Created on Nov 20, 2010 1:28:30 AM



Votes:

0

I wrote previuosly that I could not get the above to work. However it does seem to be working now. But it takes absolutely ages for any new channels to take affect. Is there any way of speeding this up? I have tried pausing and resuming without success.

Created on Nov 20, 2010 5:57:54 PM



Votes:

1

Heres my very simple list of names for ports (you can paste this right into a new custom sflow sensor channel config):

#7:Echo
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[7] or DestinationPort[7]))

#19:Chargen
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[19] or DestinationPort[19]))

#20:FTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[20] or DestinationPort[20]))

#21:FTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[21] or DestinationPort[21]))

#22:SSHSCP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[22] or DestinationPort[22]))

#23:Telnet
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[23] or DestinationPort[23]))

#25:SMTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[25] or DestinationPort[25]))

#42:WINSReplication
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[42] or DestinationPort[42]))

#43:WHOIS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[43] or DestinationPort[43]))

#49:TACACS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[49] or DestinationPort[49]))

#53:DNS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53]))

#67:DHCPBOOTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[67] or DestinationPort[67]))

#68:DHCPBOOTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[68] or DestinationPort[68]))

#69:TFTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[69] or DestinationPort[69]))

#70:Gopher
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[70] or DestinationPort[70]))

#79:Finger
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[79] or DestinationPort[79]))

#80:HTTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[80] or DestinationPort[80]))

#88:Kerberos
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[88] or DestinationPort[88]))

#102:MSExchange
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[102] or DestinationPort[102]))

#110:POP3
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[110] or DestinationPort[110]))

#113:Ident
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[113] or DestinationPort[113]))

#119:NNTPUsenet
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[119] or DestinationPort[119]))

#123:NTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[123] or DestinationPort[123]))

#135:MicrosoftRPC
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[135] or DestinationPort[135]))

#137:NetBIOS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[137] or DestinationPort[137]))

#139:NetBIOS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[139] or DestinationPort[139]))

#143:IMAP4
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[143] or DestinationPort[143]))

#161:SNMP
((Protocol[UDP] or Protocol[UDP]) and (SourcePort[161] or DestinationPort[161]))

#162:SNMP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[162] or DestinationPort[162]))

#177:XDMCP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[177] or DestinationPort[177]))

#179:BGP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[179] or DestinationPort[179]))

#201:AppleTalk
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[201] or DestinationPort[201]))

#264:BGMP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[264] or DestinationPort[264]))

#318:TSP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[318] or DestinationPort[318]))

#381:HPOpenview
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[381] or DestinationPort[381]))

#382:HPOpenview
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[382] or DestinationPort[382]))

#383:HPOpenview
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[383] or DestinationPort[383]))

#389:LDAP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[389] or DestinationPort[389]))

#411:DirectConnect
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[411] or DestinationPort[411]))

#412:DirectConnect
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[412] or DestinationPort[412]))

#443:HTTPoverSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[443] or DestinationPort[443]))

#445:MicrosoftDS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[445] or DestinationPort[445]))

#464:Kerberos
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[464] or DestinationPort[464]))

#465:SMTPoverSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[465] or DestinationPort[465]))

#497:Retrospect
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[497] or DestinationPort[497]))

#500:ISAKMP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[500] or DestinationPort[500]))

#512:rexec
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[512] or DestinationPort[512]))

#513:rlogin
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[513] or DestinationPort[513]))

#514:syslog
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[514] or DestinationPort[514]))

#515:LPDLPR
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[515] or DestinationPort[515]))

#520:RIP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[520] or DestinationPort[520]))

#521:RIPngIPv6
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[521] or DestinationPort[521]))

#540:UUCP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[540] or DestinationPort[540]))

#554:RTSP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[554] or DestinationPort[554]))

#546:DHCPv6
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[546] or DestinationPort[546]))

#547:DHCPv6
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[547] or DestinationPort[547]))

#560:rmonitor
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[560] or DestinationPort[560]))

#563:NNTPoverSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[563] or DestinationPort[563]))

#587:SMTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[587] or DestinationPort[587]))

#591:FileMaker
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[591] or DestinationPort[591]))

#593:MicrosoftDCOM
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[593] or DestinationPort[593]))

#631:InternetPrinting
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[631] or DestinationPort[631]))

#636:LDAPoverSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[636] or DestinationPort[636]))

#639:MSDPPIM
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[639] or DestinationPort[639]))

#646:LDPMPLS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[646] or DestinationPort[646]))

#691:MSExchange
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[691] or DestinationPort[691]))

#860:iSCSI
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[860] or DestinationPort[860]))

#873:rsync
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[873] or DestinationPort[873]))

#902:VMwareServer
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[902] or DestinationPort[902]))

#989:FTPOverSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[989] or DestinationPort[989]))

#990:FTPoverSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[990] or DestinationPort[990]))

#993:IMAP4overSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[993] or DestinationPort[993]))

#995:POP3overSSL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[995] or DestinationPort[995]))

#1025:MicrosoftRPCORaim
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1025] or DestinationPort[1025]))

#1080:SOCKSProxyORMyDoom
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1080] or DestinationPort[1080]))

#1194:OpenVPN
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1194] or DestinationPort[1194]))

#1214:Kazaa
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1214] or DestinationPort[1214]))

#1241:Nessus
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1241] or DestinationPort[1241]))

#1311:DellOpenManage
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1311] or DestinationPort[1311]))

#1337:WASTE
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1337] or DestinationPort[1337]))

#1433:MicrosoftSQL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1433] or DestinationPort[1433]))

#1434:MicrosoftSQL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1434] or DestinationPort[1434]))

#1512:WINS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1512] or DestinationPort[1512]))

#1589:CiscoVQP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1589] or DestinationPort[1589]))

#1701:L2TP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1701] or DestinationPort[1701]))

#1723:MSPPTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1723] or DestinationPort[1723]))

#1725:Steam
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1725] or DestinationPort[1725]))

#1741:CiscoWorks2000
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1741] or DestinationPort[1741]))

#1755:MSMediaServer
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1755] or DestinationPort[1755]))

#1812:RADIUS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1812] or DestinationPort[1812]))

#1813:RADIUS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1813] or DestinationPort[1813]))

#1863:MSN
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1863] or DestinationPort[1863]))

#1985:CiscoHSRP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[1985] or DestinationPort[1985]))

#2000:CiscoSCCP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2000] or DestinationPort[2000]))

#2002:CiscoACS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2002] or DestinationPort[2002]))

#2049:NFS
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2049] or DestinationPort[2049]))

#2100:OracleXDB
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2100] or DestinationPort[2100]))

#2222:DirectAdmin
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2222] or DestinationPort[2222]))

#2302:Halo
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2302] or DestinationPort[2302]))

#2745:BagleH
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2745] or DestinationPort[2745]))

#2967:SymantecAV
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[2967] or DestinationPort[2967]))

#3050:InterbaseDB
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3050] or DestinationPort[3050]))

#3074:XBOXLive
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3074] or DestinationPort[3074]))

#3124:HTTPProxy
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3124] or DestinationPort[3124]))

#3127:MyDoom
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3127] or DestinationPort[3127]))

#3128:HTTPProxy
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3128] or DestinationPort[3128]))

#3222:GLBP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3222] or DestinationPort[3222]))

#3260:iSCSITarget
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3260] or DestinationPort[3260]))

#3306:MySQL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3306] or DestinationPort[3306]))

#3389:TerminalServer
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389]))

#3689:iTunes
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3689] or DestinationPort[3689]))

#3690:Subversion
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3690] or DestinationPort[3690]))

#3724:WorldofWarcraft
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3724] or DestinationPort[3724]))

#4333:mSQL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[4333] or DestinationPort[4333]))

#4444:Blaster
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[4444] or DestinationPort[4444]))

#4664:GoogleDesktop
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[4664] or DestinationPort[4664]))

#4672:eMule
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[4672] or DestinationPort[4672]))

#4899:Radmin
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[4899] or DestinationPort[4899]))

#5000:UPnP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5000] or DestinationPort[5000]))

#5001:SlingboxORiperf
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5001] or DestinationPort[5001]))

#5004:RTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5004] or DestinationPort[5004]))

#5005:RTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5005] or DestinationPort[5005]))

#5050:YahooMessenger
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5050] or DestinationPort[5050]))

#5060:SIP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5060] or DestinationPort[5060]))

#5190:AIMICQ
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5190] or DestinationPort[5190]))

#5432:PostgreSQL
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5432] or DestinationPort[5432]))

#5500:VNCServer
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5500] or DestinationPort[5500]))

#5554:Sasser
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5554] or DestinationPort[5554]))

#5631:pcAnywhere
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5631] or DestinationPort[5631]))

#5632:pcAnywhere
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5632] or DestinationPort[5632]))

#5800:VNCoverHTTP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[5800] or DestinationPort[5800]))

#6112:Battlenet
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6112] or DestinationPort[6112]))

#6129:DameWare
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6129] or DestinationPort[6129]))

#6257:WinMX
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6257] or DestinationPort[6257]))

#6346:Gnutella
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6346] or DestinationPort[6346]))

#6347:Gnutella
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6347] or DestinationPort[6347]))

#6500:GameSpyArcade
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6500] or DestinationPort[6500]))

#6566:SANE
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6566] or DestinationPort[6566]))

#6588:AnalogX
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6588] or DestinationPort[6588]))

#6699:Napster
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6699] or DestinationPort[6699]))

#6970:Quicktime
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[6970] or DestinationPort[6970]))

#7212:GhostSurf
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[7212] or DestinationPort[7212]))

#8000:InternetRadio
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8000] or DestinationPort[8000]))

#8080:HTTPProxy
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8080] or DestinationPort[8080]))

#8086:KasperskyAV
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8086] or DestinationPort[8086]))

#8087:KasperskyAV
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8087] or DestinationPort[8087]))

#8118:Privoxy
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8118] or DestinationPort[8118]))

#8200:VMwareServer
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8200] or DestinationPort[8200]))

#8500:AdobeColdFusion
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8500] or DestinationPort[8500]))

#8767:TeamSpeak
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8767] or DestinationPort[8767]))

#8866:BagleB
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[8866] or DestinationPort[8866]))

#9100:HPJetDirect
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[9100] or DestinationPort[9100]))

#9119:MXit
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[9119] or DestinationPort[9119]))

#9800:WebDAV
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[9800] or DestinationPort[9800]))

#9898:Dabber
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[9898] or DestinationPort[9898]))

#9988:RbotSpybot
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[9988] or DestinationPort[9988]))

#9999:Urchin
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[9999] or DestinationPort[9999]))

#10000:WebminORBackupExec
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[10000] or DestinationPort[10000]))

#11371:OpenPGP
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[11371] or DestinationPort[11371]))

#12345:NetBus
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[12345] or DestinationPort[12345]))

#14567:Battlefield
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[14567] or DestinationPort[14567]))

#15118:DipnetOddbob
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[15118] or DestinationPort[15118]))

#19226:AdminSecure
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[19226] or DestinationPort[19226]))

#19638:Ensim
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[19638] or DestinationPort[19638]))

#20000:Usermin
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[20000] or DestinationPort[20000]))

#24800:Synergy
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[24800] or DestinationPort[24800]))

#25999:Xfire
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[25999] or DestinationPort[25999]))

#27015:HalfLife
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[27015] or DestinationPort[27015]))

#27374:Sub7
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[27374] or DestinationPort[27374]))

#28960:CallofDuty
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[28960] or DestinationPort[28960]))

#31337:BackOrifice
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[31337] or DestinationPort[31337]))


#3001:WWW
(Protocol[TCP] and ( SourcePort[80] or DestinationPort[80] or SourcePort[8080] or DestinationPort[8080])) OR (Protocol[TCP] and (SourcePort[443] or DestinationPort[443]))

#3002:FTP/P2P
(Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21]))

#3003:Mail
((Protocol[TCP] or Protocol[UDP]) and ( DestinationPort[143] or SourcePort[143] or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993] )) OR (Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995])) OR (Protocol[TCP] and (SourcePort[25] or DestinationPort[25]))

#3004:Chat
(Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667])) OR (Protocol[TCP] and (SourcePort[5190] or DestinationPort[5190]))

#3005:Remote Control
((Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389])) OR (Protocol[TCP] and (SourcePort[22] or DestinationPort[22])) OR (Protocol[TCP] and (SourcePort[23] or DestinationPort[23])) OR (Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900]))

#3007:Infrastructure
(Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68]) )) OR ((Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53])) OR (Protocol[TCP] and (SourcePort[113] or DestinationPort[113])) OR (Protocol[ICMP]) OR (Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162]))

#3008:NetBIOS
((Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139] OR SourcePort[137-139]))

#3009:Various
(Protocol[UDP]) OR (Protocol[TCP])

#1001:HTTP
Protocol[TCP] and ( SourcePort[80] or DestinationPort[80] or SourcePort[8080] or DestinationPort[8080])

#1023:HTTPS
Protocol[TCP] and (SourcePort[443] or DestinationPort[443])

#1024:FTP (Control)
Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21])

#1006:IMAP
(Protocol[TCP] or Protocol[UDP]) and ( DestinationPort[143] or SourcePort[143] or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993] )

#1008:POP3
Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995])

#1011:SMTP
Protocol[TCP] and (SourcePort[25] or DestinationPort[25])

#1007:IRC
Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667])

#1009:RDP
(Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389])

#1014:SSH
Protocol[TCP] and (SourcePort[22] or DestinationPort[22])

#1016:Telnet
Protocol[TCP] and (SourcePort[23] or DestinationPort[23])

#1017:VNC
Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900])

#1003:DHCP
Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68]) )

#1004:DNS
(Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53])

#1005:Ident
Protocol[TCP] and (SourcePort[113] or DestinationPort[113])

#1018:ICMP
Protocol[ICMP]

#1012:SNMP
Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162])

#1021:OtherUDP
Protocol[UDP]

#1022:OtherTCP
Protocol[TCP]

Created on Jan 12, 2015 9:05:48 PM

Last change on Feb 18, 2015 8:03:05 AM by Felix Saure [Paessler Support]



Votes:

0

Thank you very much for sharing this detailed config!

Created on Jan 13, 2015 7:30:07 AM by Felix Saure [Paessler Support]



Votes:

0

Hi:

Please notice that in the "Detailed Definition" listed above SNMP traffic should be defined as Protocol[UDP], NOT Protocol[TCP]. I was just copying that list for using it in one of my NetFlow custom sensors and realised about it.

Created on Feb 17, 2015 1:02:20 AM



Votes:

0

Thanks juaromu, changed it.

Created on Feb 18, 2015 8:04:04 AM by Felix Saure [Paessler Support]



Votes:

0

Hi! Im having a problem when i try to setup my sflow custom sensor. What i want to do is monitor incoming (entrante)/outgoing (saliente) bandwithd of an IP and a specific port. The problem is that no all channels are being drawed, can you help me?

#3001:GW1-Saliente
SourceIP[192.168.14.11] and ( SourcePort[61616] or DestinationPort[61616])
#3002:GW1-Entrante
DestinationIP[192.168.14.11] and ( SourcePort[61616] or DestinationPort[61616])
#3003:GW2-Saliente
SourceIP[192.168.14.12] and ( SourcePort[61616] or DestinationPort[61616])
#3004:GW2-Entrante
DestinationIP[192.168.14.12] and ( SourcePort[61616] or DestinationPort[61616])
#3005:GW3-Saliente
SourceIP[192.168.14.13] and ( SourcePort[61616] or DestinationPort[61616])
#3006:GW3-Entrante
DestinationIP[192.168.14.13] and ( SourcePort[61616] or DestinationPort[61616])
#3007:GW4-Saliente
SourceIP[192.168.14.10] and ( SourcePort[61616] or DestinationPort[61616])
#3008:GW4-Entrante
DestinationIP[192.168.14.10] and ( SourcePort[61616] or DestinationPort[61616])
#3009:DB-Saliente
SourceIP[192.168.14.110] and ( SourcePort[61616] or DestinationPort[61616])
#3010:DB-Entrante
DestinationIP[192.168.14.110] and ( SourcePort[61616] or DestinationPort[61616])
#3011:BUS-Saliente
SourceIP[192.168.14.100] and ( SourcePort[61616] or DestinationPort[61616])
#3012:BUS-Entrante
DestinationIP[192.168.14.100] and ( SourcePort[61616] or DestinationPort[61616])
#3013:ME1-Saliente
SourceIP[192.168.14.101] and ( SourcePort[61616] or DestinationPort[61616])
#3014:ME1-Entrante
DestinationIP[192.168.14.101] and ( SourcePort[61616] or DestinationPort[61616])
#3015:ME2-Saliente
SourceIP[192.168.14.102] and ( SourcePort[61616] or DestinationPort[61616])
#3016:ME2-Entrante
DestinationIP[192.168.14.102] and ( SourcePort[61616] or DestinationPort[61616])
#3017:ADMIN-Saliente
SourceIP[192.168.14.105] and ( SourcePort[61616] or DestinationPort[61616])
#3018:ADMIN-Entrante
SourceIP[192.168.14.105] and ( SourcePort[61616] or DestinationPort[61616])
#3019:FIX6-Saliente
SourceIP[192.168.14.16] and ( SourcePort[61616] or DestinationPort[61616])
#3020:FIX6-Entrante
DestinationIP[192.168.14.16] and ( SourcePort[61616] or DestinationPort[61616])
#3021:EXTMKT-Saliente
SourceIP[192.168.14.120] and ( SourcePort[61616] or DestinationPort[61616])
#3022:EXTMKT-Entrante
DestinationIP[192.168.14.120] and ( SourcePort[61616] or DestinationPort[61616])
#3023:Virtual-FIX-123-Saliente
SourceIP[192.168.14.213] and ( SourcePort[61616] or DestinationPort[61616])
#3024:Virtual-FIX-123-Entrante
DestinationIP[192.168.14.213] and ( SourcePort[61616] or DestinationPort[61616])
#3025:Virtual-FIX-ABC-Saliente
SourceIP[192.168.14.214] and ( SourcePort[61616] or DestinationPort[61616])
#3026:Virtual-FIX-ABC-Entrante
DestinationIP[192.168.14.214] and ( SourcePort[61616] or DestinationPort[61616])

If I remove the first 10 channels then the other will appear.

Sorry for my english. Thanks!!

Created on Jun 16, 2016 5:39:45 PM

Last change on Jun 17, 2016 6:12:13 AM by Luciano Lingnau [Paessler]



Votes:

0

Hi,

The filters will be processed in the exact same order as defined in the flowrules.osr. New channels will only be created if a flow packet matches the corresponding filter rule. If there is such a matching packet, this packet will be removed and will not be available for the other channels defined below.

Some of your filters compare the Source IP while other channels filter for the Destination IP. I assume that the packets will be counted to the first filters (matching source- or destination address) so that they do not arrive at the other channels.

Best regards, Felix

Created on Jun 20, 2016 10:45:56 AM by Felix Saure [Paessler Support]



Votes:

0

Years later, and this is still my go-to custom channel list. Kudos.

Created on Nov 14, 2019 5:38:18 PM



Votes:

0

I treat this sensor like wireshark.. I start with a "coarse" template and then zoom in on the sections that create a lot of problems / that I want to investigate.

Here my "server" template - I need to create a custom "access" template. too... this is fun to put next to a QoS ACL, btw. Or cross-reference it with an application/NBAR monitor.

#10:SambaSMB
((Protocol[TCP] or Protocol[UDP]) and Port[445])

#20:iSCSI
((Protocol[TCP] or Protocol[UDP]) and (Port[860] OR Port[3260]))

#30:NFS
((Protocol[TCP] or Protocol[UDP]) and Port[2049])

#40:SIP
((Protocol[TCP] or Protocol[UDP]) and Port[5060])

#50:WWW or Netscaler
((Protocol[TCP] OR Protocol[UDP]) and (Port[80] or Port[8080])) OR (Protocol[TCP] and Port[443])

#60:MS Teams
((Protocol[TCP] OR Protocol[UDP]) and (SourcePort[50000-50059] OR Port[3478-3481]))

#70:Citrix
((Protocol[TCP] OR Protocol[UDP]) AND (Port[1494] or Port[2598]))

#80:CAPWAP
((Protocol[UDP]) AND (Port[5246] or Port[5247]) )

#1010:ICMP
Protocol[ICMP]

#1020:OtherUDP
Protocol[UDP]

#1030:OtherTCP
Protocol[TCP]

A "standard/one-fits-all" template that sees it all was messing up the reports so I try to keep it under 10 groups, usually. But I have not figured out how to define groups using the "channel definition" field. How to those numbers create groups and detail definitions? Or do I have to create a template for that?

(It says on top "There are two sets, the "Group" and the "Detail" definitions".) - where is the difference?

cheers and thanks!

Andreas

Created on Jul 20, 2021 10:50:41 AM

Last change on Jul 20, 2021 11:27:57 AM by Felix Wiesneth [Paessler Support]



Votes:

0

Hello Andreas, I think this is better to see on a ticket so we can see screenshots and more information, can you send a ticket to [email protected]

Created on Jul 23, 2021 7:41:20 PM by Jonathan Mena [Paessler Technical Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.