New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


What filter rules can be used for custom Packet Sniffing, xFlow, or IPFIX sensors?

Votes:

0

Your Vote:

Up

Down

What is the filter rule syntax? What xFlow (NetFlow/sFlow/jFlow) and IPFIX filter parameters are supported by PRTG?

custom-sensor filter include ipfix jflow netflow packet-sniffing prtg sflow xflow

Created on Feb 3, 2010 2:34:58 PM by  Jens Rupp [Paessler Support]

Last change on Sep 30, 2013 3:46:29 PM by  Gerald Schoch [Paessler Support]



3 Replies

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 16 or later

Filter Rules for Custom Packet Sniffing, xFlow, or IPFIX Sensors

Note: For details (i.e., additional rules), please see PRTG Manual: Filter Rules for xFlow, IPFIX and Packet Sniffer Sensors.


Filter rules are used for the include, exclude and channel definition fields of custom packet sniffer, NetFlow, sFlow, jFlow, and IPFIX sensors.

Filter rules are based on the following format:

field[filter]

Valid fields are:

  • IP
  • Port
  • SourceIP
  • SourcePort
  • DestinationIP
  • DestinationPort
  • Protocol (values: TCP, UDP, ICMP, OSPFIGP or any number)
  • ToS
  • DSCP

Additional Packet Sniffer Fields:

  • MAC
  • SourceMAC
  • DestinationMAC
  • EtherType (values IPV4, ARP,RARP,APPLE, AARP,IPV6 ,IPXold, IPX or any number)
  • VlanPCP
  • VlanID
  • TrafficClass
  • FlowLabel

Additional NetFlow v5 / jFlow fields:

  • Interface
  • ASI
  • InboundInterface
  • OutboundInterface
  • SourceASI
  • DestinationASI

Additional NetFlow v9 and IPFIX fields:

  • Interface
  • ASI
  • InboundInterface
  • OutboundInterface
  • SenderIP
  • SourceASI
  • DestinationASI
  • MAC
  • SourceMAC
  • DestinationMAC
  • Mask
  • SourceMask
  • DestinationMask
    • Note: 'Masks' represent subnet masks in the form of a single number ('number of contiguous bits')
  • NextHop (IP address)
  • VLAN
  • SourceVLAN
  • DestinationVLAN
    • Note: 'VLANs' represent a VLAN identifier

Additional sFlow fields:

  • Interface
  • InboundInterface
  • OutboundInterface
  • SenderIP
  • MAC
  • SourceMAC
  • DestinationMAC

Data Formats:

  • IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax (all IPv4 only), as well as DNS names.
  • Number fields support range (80-88) syntax.
  • Protocol and EtherType fields support numbers and a list of predefined constants.

Samples:

SourceIP[10.0.0.1]
SourceIP[10.*.*.*]
SourceIP[10.0.0.0/10]
DestinationIP[10.0.0.120-130]
DestinationPort[80-88]
Protocol[UDP]

Complex expressions can be created using parentheses and and/or/not:

Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])

See also

Created on Feb 3, 2010 2:35:17 PM by  Jens Rupp [Paessler Support]

Last change on Jun 9, 2017 3:08:15 PM by  Gerald Schoch [Paessler Support]



Votes:

0

Your Vote:

Up

Down

This may be a dumb question but I want to make sure. Would

IP[192.168.0.0/20] OR IP[192.168.50.0/20]

catch packets to/from machines on the 192.168.0.0/20 and 192.168.50.0/20 ranges the same way

SourceIP[192.168.0.0/20] OR DestinationIP[192.168.0.0/20] OR SourceIP[192.168.50.0/20] OR DestinationIP[192.168.50.0/20]

does?

I'm thinking yes, but that is not actually covered in the manual as far as I can tell and I'm trying to simplify some of my packet filtering rules.

Thanks!

Created on Jan 31, 2019 6:12:50 PM by  SwissJay (30)

Last change on Jan 31, 2019 7:07:26 PM by  Dariusz Gorka [Paessler Support]



Votes:

1

Your Vote:

Up

Down

Dear SwissJay,

yes. SourceIP[x] or DestinationIP[x] is the same as IP[x].

Created on Feb 1, 2019 12:27:41 PM by  Arne Seifert [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.