New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


What filter rules can be used for custom Packet Sniffing, xFlow, or IPFIX sensors?

Votes:

0

Your Vote:

Up

Down

What is the filter rule syntax? What xFlow (NetFlow/sFlow/jFlow) and IPFIX filter parameters are supported by PRTG?

custom-sensor filter include ipfix jflow netflow packet-sniffing prtg sflow xflow

Created on Feb 3, 2010 2:34:58 PM by  Jens Rupp [Paessler Support]

Last change on Sep 30, 2013 3:46:29 PM by  Gerald Schoch [Paessler Support]



11 Replies

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 19 or later

Filter Rules for Custom Packet Sniffing, xFlow, or IPFIX Sensors

Note: For details (for example, additional rules), see PRTG Manual: Filter Rules for xFlow, IPFIX and Packet Sniffer Sensors.


Filter rules are used for the include filter, exclude filter, and channel definition fields of custom packet sniffer, NetFlow, sFlow, jFlow, and IPFIX sensors.

Filter rules are based on the following format:

field[filter]

Valid fields are:

  • IP
  • Port
  • SourceIP
  • SourcePort
  • DestinationIP
  • DestinationPort
  • Protocol (values: TCP, UDP, ICMP, OSPFIGP, or any number)
  • ToS
  • DSCP

Additional Packet Sniffer Fields:

  • MAC
  • SourceMAC
  • DestinationMAC
  • EtherType (values IPV4, ARP, RARP, APPLE, AARP, IPV6, IPXold, IPX, or any number)
  • VlanPCP
  • VlanID
  • TrafficClass
  • FlowLabel

Additional NetFlow v5 / jFlow fields:

  • Interface
  • ASI
  • InboundInterface
  • OutboundInterface#
  • SenderIP
  • SourceASI
  • DestinationASI

Additional NetFlow v9 and IPFIX fields:

  • Interface
  • ASI
  • InboundInterface
  • OutboundInterface
  • SenderIP
  • SourceASI
  • DestinationASI
  • MAC
  • SourceMAC
  • DestinationMAC
  • Mask
  • DestinationMask
    • Note: 'Masks' represent subnet masks in the form of a single number ('number of contiguous bits')
  • NextHop (IP address)
  • VLAN
  • SourceVLAN
  • DestinationVLAN
    • Note: 'VLANs' represent a VLAN identifier

Additional sFlow fields:

  • Interface
  • InboundInterface
  • OutboundInterface
  • SenderIP
  • MAC
  • SourceMAC
  • DestinationMAC

Data Formats:

  • IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax (all IPv4 only), as well as DNS names.
  • Number fields support range (80-88) syntax.
  • Protocol and EtherType fields support numbers and a list of predefined constants.

Samples:

SourceIP[10.0.0.1]
SourceIP[10.*.*.*]
SourceIP[10.0.0.0/10]
DestinationIP[10.0.0.120-130]
DestinationPort[80-88]
Protocol[UDP]

Complex expressions can be created using parentheses and and, or, or and not:

Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])

More

Created on Feb 3, 2010 2:35:17 PM by  Jens Rupp [Paessler Support]

Last change on May 20, 2019 11:55:46 AM by  Brandy Mauff [Paessler Support]



Votes:

0

Your Vote:

Up

Down

This may be a dumb question but I want to make sure. Would

IP[192.168.0.0/20] OR IP[192.168.50.0/20]

catch packets to/from machines on the 192.168.0.0/20 and 192.168.50.0/20 ranges the same way

SourceIP[192.168.0.0/20] OR DestinationIP[192.168.0.0/20] OR SourceIP[192.168.50.0/20] OR DestinationIP[192.168.50.0/20]

does?

I'm thinking yes, but that is not actually covered in the manual as far as I can tell and I'm trying to simplify some of my packet filtering rules.

Thanks!

Created on Jan 31, 2019 6:12:50 PM by  SwissJay (40)

Last change on Jan 31, 2019 7:07:26 PM by  Dariusz Gorka [Paessler Support]



Votes:

1

Your Vote:

Up

Down

Dear SwissJay,

yes. SourceIP[x] or DestinationIP[x] is the same as IP[x].

Created on Feb 1, 2019 12:27:41 PM by  Arne Seifert [Paessler Support]



Votes:

0

Your Vote:

Up

Down

In ASDM i have enabled netflow on a Cisco ASA with 6 interfaces. There is nothing to specify - just the ip address, udp port nr and a flow timeout.

How do i find out what interface[x] number i have to use in the filter settings to see netflow for 1 particular interface?

Created on Feb 28, 2019 4:38:05 PM by  joopv (0)



Votes:

0

Your Vote:

Up

Down

Joopv,

You would need to check the interface database on the ASA itself to get the interface ID number. This is what you can use to filter for particular interfaces with the sensor.

Let me know if you have any other questions.

Benjamin Day
Paessler Support

Created on Mar 5, 2019 2:19:00 AM by  Benjamin Day [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Thanks,

This is a multi-context ASA. I use the interface number as shown in the show interface detail output from the customer context:

FWA001/admin/pri/act# changeto context CUST
FWA001/CUST/pri/act# sh int


FWA001/CUST/pri/act# sh int detail
Interface outside "OUTSIDE", is up, line protocol is up
        MAC address cafe.0000.0003, MTU 1500
        IP address xx.xxx.xxx.xxx, subnet mask 255.255.255.128
  Traffic Statistics for "OUTSIDE":
        36594096995 packets input, 10412221732643 bytes
        56833897249 packets output, 20034886444477 bytes
        52327144 packets dropped
  Control Point Interface States:
        Interface number is 1
        Interface config status is active
        Interface state is active

So, i use : Interface[1] in the Include filter settings. But that does not give any output at all....

Created on Mar 25, 2019 11:25:54 AM by  joopv (0)

Last change on Mar 25, 2019 8:34:52 PM by  Benjamin Day [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Joopv,

Try using InboundInterface and OutboundInterface instead of just interface.

Benjamin Day
Paessler Support

Created on Mar 25, 2019 8:36:45 PM by  Benjamin Day [Paessler Support]



Votes:

0

Your Vote:

Up

Down

InboundInterface[1] and OutboundInterface[1] in Include filter also does nog give any output.

Maybe i should first check the ASA netflow config completely on the CLI, instead of trusting the GUI of ASDM..

Created on Apr 3, 2019 11:07:34 AM by  joopv (0)



Votes:

0

Your Vote:

Up

Down

Joopv,

Yes, and you need to confirm the interface IDs.

Can you try running the following command via the CLI on the ASA?

show snmp mib ifmib ifindex

The output should look similar to this.

YourRouter#show snmp mib ifmib ifindex
FastEthernet0/1/7: Ifindex = 10
FastEthernet0/1/5: Ifindex = 8
GigabitEthernet0/1: Ifindex = 2
Vlan2: Ifindex = 18
FastEthernet0/1/3: Ifindex = 6
FastEthernet0/1/1: Ifindex = 4
Vlan504: Ifindex = 20
GigabitEthernet0/1.1: Ifindex = 17
VoIP-Null0: Ifindex = 12
Loopback0: Ifindex = 15
Null0: Ifindex = 13
FastEthernet0/1/6: Ifindex = 9
GigabitEthernet0/0: Ifindex = 1
FastEthernet0/1/4: Ifindex = 7
Vlan1: Ifindex = 14

The Ifindex is what you want to put in the bracket.

Benjamin Day
Paessler Support

Created on Apr 3, 2019 10:57:08 PM by  Benjamin Day [Paessler Support]



Votes:

0

Your Vote:

Up

Down

as far as i can see, this does not work on an ASA.

The best i can do is show snmp-server oidlist which gives:

ASA/CONTEXT/pri/act# show snmp-server oidlist

-------------------------------------------------
[0]     1.3.6.1.2.1.1.1.        sysDescr
.....
[11]    1.3.6.1.2.1.2.1.        ifNumber
[12]    1.3.6.1.2.1.2.2.1.1.    ifIndex
.....

So now i have to see that i can run a getif or snmpwalk tool to read the oid.

Created on May 2, 2019 7:34:38 PM by  joopv (0)

Last change on May 3, 2019 10:02:36 PM by  Benjamin Day [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Joopv,

Yes, that is what you would need to do in order to get the ifIndex number for each interface.

Benjamin Day
Paessler Support.

Created on May 3, 2019 10:03:48 PM by  Benjamin Day [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.