What is the filter rule syntax? What flow (NetFlow/sFlow/jFlow) and IPFIX filter parameters are supported by PRTG?
What filter rules can be used for custom Packet Sniffing, Flow, or IPFIX sensors?
This article applies as of PRTG 22
Filter rules for custom Packet Sniffer, flow, or IPFIX sensors
Filter rules are used for the include filter, exclude filter, and channel definition fields of custom packet sniffer, NetFlow, sFlow, jFlow, and IPFIX sensors.
Filter rules are based on the following format:
- Protocol (values: TCP, UDP, ICMP, OSPFIGP, or any number)
Additional Packet Sniffer fields:
- EtherType (values IPV4, ARP, RARP, APPLE, AARP, IPV6, IPXold, IPX, or any number)
Additional NetFlow v5/jFlow fields:
Additional NetFlow v9 and IPFIX fields:
- Masks represent subnet masks in the form of a single number (number of contiguous bits)
- NextHop (IP address)
- VLANs represent a VLAN identifier
Additional sFlow fields:
- IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax (all IPv4 only), as well as DNS names.
- Number fields support range (80-88) syntax.
- Protocol and EtherType fields support numbers and a list of predefined constants.
SourceIP[10.0.0.1] SourceIP[10.*.*.*] SourceIP[10.0.0.0/10] DestinationIP[10.0.0.120-130] DestinationPort[80-88] Protocol[UDP]
Complex expressions can be created with parentheses and and, or, or and not:
Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])
This may be a dumb question but I want to make sure. Would
|IP[192.168.0.0/20] OR IP[192.168.50.0/20]|
catch packets to/from machines on the 192.168.0.0/20 and 192.168.50.0/20 ranges the same way
|SourceIP[192.168.0.0/20] OR DestinationIP[192.168.0.0/20] OR SourceIP[192.168.50.0/20] OR DestinationIP[192.168.50.0/20]|
I'm thinking yes, but that is not actually covered in the manual as far as I can tell and I'm trying to simplify some of my packet filtering rules.
yes. SourceIP[x] or DestinationIP[x] is the same as IP[x].
In ASDM i have enabled netflow on a Cisco ASA with 6 interfaces. There is nothing to specify - just the ip address, udp port nr and a flow timeout.
How do i find out what interface[x] number i have to use in the filter settings to see netflow for 1 particular interface?
You would need to check the interface database on the ASA itself to get the interface ID number. This is what you can use to filter for particular interfaces with the sensor.
Let me know if you have any other questions.
This is a multi-context ASA. I use the interface number as shown in the show interface detail output from the customer context:
FWA001/admin/pri/act# changeto context CUST FWA001/CUST/pri/act# sh int FWA001/CUST/pri/act# sh int detail Interface outside "OUTSIDE", is up, line protocol is up MAC address cafe.0000.0003, MTU 1500 IP address xx.xxx.xxx.xxx, subnet mask 255.255.255.128 Traffic Statistics for "OUTSIDE": 36594096995 packets input, 10412221732643 bytes 56833897249 packets output, 20034886444477 bytes 52327144 packets dropped Control Point Interface States: Interface number is 1 Interface config status is active Interface state is active
So, i use : Interface in the Include filter settings. But that does not give any output at all....
Try using InboundInterface and OutboundInterface instead of just interface.
InboundInterface and OutboundInterface in Include filter also does nog give any output.
Maybe i should first check the ASA netflow config completely on the CLI, instead of trusting the GUI of ASDM..
Yes, and you need to confirm the interface IDs.
Can you try running the following command via the CLI on the ASA?
show snmp mib ifmib ifindex
The output should look similar to this.
YourRouter#show snmp mib ifmib ifindex FastEthernet0/1/7: Ifindex = 10 FastEthernet0/1/5: Ifindex = 8 GigabitEthernet0/1: Ifindex = 2 Vlan2: Ifindex = 18 FastEthernet0/1/3: Ifindex = 6 FastEthernet0/1/1: Ifindex = 4 Vlan504: Ifindex = 20 GigabitEthernet0/1.1: Ifindex = 17 VoIP-Null0: Ifindex = 12 Loopback0: Ifindex = 15 Null0: Ifindex = 13 FastEthernet0/1/6: Ifindex = 9 GigabitEthernet0/0: Ifindex = 1 FastEthernet0/1/4: Ifindex = 7 Vlan1: Ifindex = 14
The Ifindex is what you want to put in the bracket.
as far as i can see, this does not work on an ASA.
The best i can do is show snmp-server oidlist which gives:
ASA/CONTEXT/pri/act# show snmp-server oidlist -------------------------------------------------  18.104.22.168.22.214.171.124. sysDescr .....  126.96.36.199.188.8.131.52. ifNumber  184.108.40.206.220.127.116.11.1.1. ifIndex .....
So now i have to see that i can run a getif or snmpwalk tool to read the oid.
Yes, that is what you would need to do in order to get the ifIndex number for each interface.
is it possible to filter by Destination MAC Range?
I want do create a sFlow Sensor for Multicasting Traffic only. I'm aware of that MAC is layer2 and xFlow is layer3-based. Thanks a lot!
Since a MAC address is a hex format number, it's not possible to enter a range like 1-F. Instead you can use * as placeholders.
Felix Wiesneth - Team Tech Support
Thanks for your response. I tried, but failed...
I used the following Include-Filter: (MAC[01-00-5E-0*--] OR MAC[01-00-5E-1*--] OR MAC[01-00-5E-2*--] OR MAC[01-00-5E-3*--] OR MAC[01-00-5E-4*--] OR MAC[01-00-5E-5*--] OR MAC[01-00-5E-6*--] OR MAC[01-00-5E-7*--])
But sflow Sensor does not show any data.
A second sensor with IP based Include-Filter, does show Traffic with multicast MAC Adresses (SourceIP[18.104.22.168/4] OR DestinationIP [22.214.171.124/4])
Show DestinationMAC: 01-00-5E-7F-FF-FA
Am I doing wrong, or should it work? I guess using MAC includes Source- AND Destination-MAC?
Unfortunately, I was wrong. The MAC filter doesn't support placeholders, so you'd need to enter the whole thing or filter on a different property.
Felix Wiesneth - Team Tech Support