What is the filter rule syntax? What xFlow (NetFlow/sFlow/jFlow) and IPFIX filter parameters are supported by PRTG?
Created on Feb 3, 2010 2:34:58 PM by
Last change on Sep 30, 2013 3:46:29 PM by
What filter rules can be used for custom Packet Sniffing, xFlow, or IPFIX sensors?
15 Replies
Accepted Answer
This article applies to PRTG Network Monitor 19 or later
Filter Rules for Custom Packet Sniffing, xFlow, or IPFIX Sensors
Note: For details (for example, additional rules), see PRTG Manual: Filter Rules for xFlow, IPFIX and Packet Sniffer Sensors.
Filter rules are used for the include filter, exclude filter, and channel definition fields of custom packet sniffer, NetFlow, sFlow, jFlow, and IPFIX sensors.
Filter rules are based on the following format:
field[filter]
Valid fields are:
- IP
- Port
- SourceIP
- SourcePort
- DestinationIP
- DestinationPort
- Protocol (values: TCP, UDP, ICMP, OSPFIGP, or any number)
- ToS
- DSCP
Additional Packet Sniffer Fields:
- MAC
- SourceMAC
- DestinationMAC
- EtherType (values IPV4, ARP, RARP, APPLE, AARP, IPV6, IPXold, IPX, or any number)
- VlanPCP
- VlanID
- TrafficClass
- FlowLabel
Additional NetFlow v5 / jFlow fields:
- Interface
- ASI
- InboundInterface
- OutboundInterface#
- SenderIP
- SourceASI
- DestinationASI
Additional NetFlow v9 and IPFIX fields:
- Interface
- ASI
- InboundInterface
- OutboundInterface
- SenderIP
- SourceASI
- DestinationASI
- MAC
- SourceMAC
- DestinationMAC
- Mask
- DestinationMask
- Note: 'Masks' represent subnet masks in the form of a single number ('number of contiguous bits')
- NextHop (IP address)
- VLAN
- SourceVLAN
- DestinationVLAN
- Note: 'VLANs' represent a VLAN identifier
Additional sFlow fields:
- Interface
- InboundInterface
- OutboundInterface
- SenderIP
- MAC
- SourceMAC
- DestinationMAC
Data Formats:
- IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax (all IPv4 only), as well as DNS names.
- Number fields support range (80-88) syntax.
- Protocol and EtherType fields support numbers and a list of predefined constants.
Samples:
SourceIP[10.0.0.1] SourceIP[10.*.*.*] SourceIP[10.0.0.0/10] DestinationIP[10.0.0.120-130] DestinationPort[80-88] Protocol[UDP]
Complex expressions can be created using parentheses and and, or, or and not:
Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])
More
Created on Feb 3, 2010 2:35:17 PM by
Last change on May 20, 2019 11:55:46 AM by
This may be a dumb question but I want to make sure. Would
| IP[192.168.0.0/20] OR IP[192.168.50.0/20] |
catch packets to/from machines on the 192.168.0.0/20 and 192.168.50.0/20 ranges the same way
| SourceIP[192.168.0.0/20] OR DestinationIP[192.168.0.0/20] OR SourceIP[192.168.50.0/20] OR DestinationIP[192.168.50.0/20] |
does?
I'm thinking yes, but that is not actually covered in the manual as far as I can tell and I'm trying to simplify some of my packet filtering rules.
Thanks!
Created on Jan 31, 2019 6:12:50 PM by
Last change on Jan 31, 2019 7:07:26 PM by
Dear SwissJay,
yes. SourceIP[x] or DestinationIP[x] is the same as IP[x].
Created on Feb 1, 2019 12:27:41 PM by
In ASDM i have enabled netflow on a Cisco ASA with 6 interfaces. There is nothing to specify - just the ip address, udp port nr and a flow timeout.
How do i find out what interface[x] number i have to use in the filter settings to see netflow for 1 particular interface?
Joopv,
You would need to check the interface database on the ASA itself to get the interface ID number. This is what you can use to filter for particular interfaces with the sensor.
Let me know if you have any other questions.
Benjamin Day
Paessler Support
Created on Mar 5, 2019 2:19:00 AM by
Thanks,
This is a multi-context ASA. I use the interface number as shown in the show interface detail output from the customer context:
FWA001/admin/pri/act# changeto context CUST
FWA001/CUST/pri/act# sh int
FWA001/CUST/pri/act# sh int detail
Interface outside "OUTSIDE", is up, line protocol is up
MAC address cafe.0000.0003, MTU 1500
IP address xx.xxx.xxx.xxx, subnet mask 255.255.255.128
Traffic Statistics for "OUTSIDE":
36594096995 packets input, 10412221732643 bytes
56833897249 packets output, 20034886444477 bytes
52327144 packets dropped
Control Point Interface States:
Interface number is 1
Interface config status is active
Interface state is active
So, i use : Interface[1] in the Include filter settings. But that does not give any output at all....
Created on Mar 25, 2019 11:25:54 AM by
Last change on Mar 25, 2019 8:34:52 PM by
Joopv,
Try using InboundInterface and OutboundInterface instead of just interface.
Benjamin Day
Paessler Support
Created on Mar 25, 2019 8:36:45 PM by
InboundInterface[1] and OutboundInterface[1] in Include filter also does nog give any output.
Maybe i should first check the ASA netflow config completely on the CLI, instead of trusting the GUI of ASDM..
Joopv,
Yes, and you need to confirm the interface IDs.
Can you try running the following command via the CLI on the ASA?
show snmp mib ifmib ifindex
The output should look similar to this.
YourRouter#show snmp mib ifmib ifindex FastEthernet0/1/7: Ifindex = 10 FastEthernet0/1/5: Ifindex = 8 GigabitEthernet0/1: Ifindex = 2 Vlan2: Ifindex = 18 FastEthernet0/1/3: Ifindex = 6 FastEthernet0/1/1: Ifindex = 4 Vlan504: Ifindex = 20 GigabitEthernet0/1.1: Ifindex = 17 VoIP-Null0: Ifindex = 12 Loopback0: Ifindex = 15 Null0: Ifindex = 13 FastEthernet0/1/6: Ifindex = 9 GigabitEthernet0/0: Ifindex = 1 FastEthernet0/1/4: Ifindex = 7 Vlan1: Ifindex = 14
The Ifindex is what you want to put in the bracket.
Benjamin Day
Paessler Support
Created on Apr 3, 2019 10:57:08 PM by
as far as i can see, this does not work on an ASA.
The best i can do is show snmp-server oidlist which gives:
ASA/CONTEXT/pri/act# show snmp-server oidlist ------------------------------------------------- [0] 1.3.6.1.2.1.1.1. sysDescr ..... [11] 1.3.6.1.2.1.2.1. ifNumber [12] 1.3.6.1.2.1.2.2.1.1. ifIndex .....
So now i have to see that i can run a getif or snmpwalk tool to read the oid.
Created on May 2, 2019 7:34:38 PM by
Last change on May 3, 2019 10:02:36 PM by
Joopv,
Yes, that is what you would need to do in order to get the ifIndex number for each interface.
Benjamin Day
Paessler Support.
Created on May 3, 2019 10:03:48 PM by
Hello,
is it possible to filter by Destination MAC Range?
I want do create a sFlow Sensor for Multicasting Traffic only. I'm aware of that MAC is layer2 and xFlow is layer3-based. Thanks a lot!
Kind Regards
Robert
Created on May 8, 2020 1:05:26 PM by
Hi Robert,
Since a MAC address is a hex format number, it's not possible to enter a range like 1-F. Instead you can use * as placeholders.
Kind regards
Felix Wiesneth - Team Tech Support
Created on May 8, 2020 7:24:16 PM by
Last change on May 13, 2020 11:04:13 AM by
Hi Felix,
Thanks for your response. I tried, but failed...
I used the following Include-Filter: (MAC[01-00-5E-0*--] OR MAC[01-00-5E-1*--] OR MAC[01-00-5E-2*--] OR MAC[01-00-5E-3*--] OR MAC[01-00-5E-4*--] OR MAC[01-00-5E-5*--] OR MAC[01-00-5E-6*--] OR MAC[01-00-5E-7*--])
But sflow Sensor does not show any data.
A second sensor with IP based Include-Filter, does show Traffic with multicast MAC Adresses (SourceIP[224.0.0.0/4] OR DestinationIP [224.0.0.0/4])
Show DestinationMAC: 01-00-5E-7F-FF-FA
Am I doing wrong, or should it work? I guess using MAC includes Source- AND Destination-MAC?
Created on May 12, 2020 2:08:22 PM by
Hi Robert,
Unfortunately, I was wrong. The MAC filter doesn't support placeholders, so you'd need to enter the whole thing or filter on a different property.
Kind regards
Felix Wiesneth - Team Tech Support
Created on May 13, 2020 11:04:55 AM by
Please log in or register to enter your reply.
Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.
Add comment