How do the channel definitions work for custom packet sniffer, xFlow (NetFlow, sFlow, jFlow), and IPFIX sensors?
How do the channel definitions for custom Packet Sniffing, xFlow, and IPFIX sensors work?
This article applies to PRTG Network Monitor 19 or later
Channel Definitions for Custom Packet Sniffing, xFlow, or IPFIX Sensors
When adding custom xFlow (for example, NetFlow, sFlow, or jFlow), custom IPFIX (included in PRTG version 13.x.7 or later), or custom packet sniffing sensors to PRTG, you will notice a field named Channel Definition. In this field you need to provide the channel definitions in the following manner (one entry per channel):
#5:HTTP Protocol[TCP] and (SourcePort or DestinationPort or SourcePort or DestinationPort)
- The <id> needs to be 1 or a higher number and must be unique for the sensor. This means that each channel definition must have a unique ID.
- The <id> is linked to the historic data. Caution: As soon as you change the ID, you break the connection to the history for this particular channel and you will lose its historic data!
- A rule can span multiple lines.
- A new rule starts with a # as first character in a line
- <name> is the channel's display name.
- The rules are processed from top to bottom (the number doesn't matter) and the data is accounted to the first match.
- An other channel is added automatically.
- After the <name> you can write an optional [<unit>] to override the unit that is automatically set based on the source sensors.
For the specific rule syntax, see What filter rules can be used for custom Packet Sniffing, xFlow (NetFlow/sFlow/jFlow), or IPFIX sensors?
Because the data is always accounted to the first match, make sure you start with the most specific rule at the top and get less specific towards to the bottom.
We strongly recommend that you write the rule list in an external editor first and then paste it into the corresponding PRTG field. Otherwise, if the rules contain an error, the entries will be removed when adding the rules!
Channel definition example for differentiating by protocol:
#1:TCP Protocol[TCP] #2:UDP Protocol[UDP] #3:ICMP Protocol[ICMP]
This was very helpfull. I use PRTG V8 and I had to create a new Sensore for my Probe.
>Packet Sniffer (Costum)
And I added this Line:
Protocol[TCP] and (SourcePort or DestinationPort)"
But before I added the Detail definitions.
I've set up a custom V9 workflow sensor to capture all the specific protocols the generic sensor does now. I've got two channels defined.
- 5:SMB Protocol[UDP] and (SourcePort or DestinationPort
- 6:ExacqVision Protocol[TCP] and (SourcePort or DestinationPort[22609D
Do I use filters to capture just these two protocols and if so, what is the syntax for those? The manual has nothing about multiple filters. This syntax does not appear to be working.
Protocol[UDP] and (SourcePort or DestinationPort) or Protocol[TCP] and (SourcePort or DestinationPort)
In which sense are you speaking about multiple filters? The filter definitions can combine several filter statements with AND, OR, as well as brackets.
It is also possible to define several channels.
However, any traffic which is already accounted for in a channel, is not considered for further filter evaluation of the other channels, even if the according filter rules apply.