New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


How can I change the default groups and channels for xFlow and Packet Sniffer sensors?

Votes:

0

Your Vote:

Up

Down

I would like to adjust the available groups and channels in the channel configuration of the default Packet Sniffer, NetFlow V5 and NetFlow V9, IPFIX, and sFlow sensors. Furthermore, I would like to remove groups and channels that are not suitable for my network setup from the channel selection and add my own definitions to it.

How can I change the default channel configuration settings so that I do not have to create an individual custom Flow or Packet Sniffer sensor each time anew to make it applicable to my network?

channel-configuration customize flow netflow packet-sniffer prtg sflow xflow

Created on Apr 15, 2014 3:04:53 PM by  Gerald Schoch [Paessler Support]

Last change on Mar 18, 2015 2:54:39 PM by  Martina Wittmann [Paessler Support]



7 Replies

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 14.x.10 or later

Adjusting the Default xFlow and Packet Sniffer Channel Configuration

The default xFlow (NetFlow V5/V9, IPFIX, sFlow) and Packet Sniffer sensors provide several categories to which you can also account the measured traffic. You can define if a traffic group counts as an own separate channel (or as assigned to a standard channel) and if the traffic of this group is further divided into individual channels. By default, PRTG creates one sensor channel for each available group as shown in the screenshot below.

Default Channel Selection

Because the default channel selection might not be suitable for certain use cases, you can edit the flow rules to get a new custom “default” channel configuration. By editing the corresponding file, you will be able to

  • adjust default settings for the channel groups: create one channel for the whole traffic group (“Yes”), or create several channels to further divide them (“Detail”), or do not create any channel and count the traffic of this group for the default channel “Other” (“No”) by default.
  • enhance existing channels, e.g., if other ports are used than the default ports.
  • add new groups and channels that you use often: this is easier and faster than defining them in custom xFlow and Packet Sniffer sensors.
  • remove channels that you do not need or that are not applicable to your setup.

Editing Flow Rules

In order to change the default groups and channels, you have to edit the file flowrules.osr accordingly. Please consider the instructions below.

CAUTION: If you edit this file, ALL xFlow and Packet Sniffer sensors will be changed! This applies also to already existing sensors! Please note, that changing the detail level No / Yes / Detail will only effect sensors which are created anew. We strongly recommend testing any changes in a test environment before applying them to your productive installation! If you delete this file, PRTG will use the default settings again.

  • You can find the editable file flowrules.osr in your PRTG Network Monitor installation folder.
  • Create a copy of the file flowrules.osr and rename the copy to customflowrules.osr. This way, you prevent the installer from overriding your custom rules when updating PRTG. Note: PRTG will override the flowrules.osr file as soon as there exists a file named customflowrules.osr. Any differently named osr-file is disregarded.
  • Open the created file customflowrules.osr with a text editor.
  • When editing the file, keep the channel and group IDs as they are. If you do not change the IDs, PRTG can match the channels with the configuration and historic data.
  • The definitions will be processed starting at the topmost entry consecutively to the bottom. Because of this, define specific rules before more general rules (e.g., like the “Various” traffic group).
  • You can individually define the default setting for each group how detailed the traffic will be split into channels with a default value. Please see below for more information.
  • For details on the syntax of the filter rules, please refer to the Filter Rules for xFlow, IPFIX and Packet Sniffer Sensors in the PRTG Manual.
  • The changes to the flow rules will apply after a restart of your PRTG server.

Structure of the Flow Rules File

The basic structure of the file with the flow rules looks like this:

<!-- explanation -->
<?xml declaration>
<groups>
  <group id="unique integer" name="unique name">
    <caption>displayed group name</caption>
    <help>displayed text for content</help>
    <defaultvalue>0, 1, or 2</defaultvalue>
    <channels>
      <channel id="unique integer" name="displayed channel name">
        <rule>
            traffic filter rule
          </rule>
      </channel>
      
	[several other channel definitions]

    </channels>
  </group>

	[several other group definitions]

</groups>
  • The default flowrules.osr file starts with an explanation of the flow rules’ functionality between the comment tags <!-- and -->. Keep this in customflowrules.osr to always have a quick overview about editing the file.
  • The <?xml> tag defines the content as XML.
  • Within the <groups> tag, all groups and their channels are defined.
  • Each group is defined within one dedicated <group> tag. Each group needs a unique ID (which you should not change for existing groups) and a unique name to identify this group.
  • A group definition contains the following:
    • <caption>: The caption will be shown in the Group column of the sensors’ channel configuration.
    • <help>: The help text will be shown in the Content column in front of the actual channel names.
    • <defaultvalue>: This sets the default setting for traffic division. You can use
      • 1 for the Yes setting (i.e., create one channel for the traffic group),
      • 2 for the Detail setting (i.e., create several channels to further divide the traffic),
      • 0 for the No setting (i.e., traffic of this group will count for the Other channel).
    • <channels>: Define the channels of a traffic group within this tag.
  • The channels tag contains single channel definitions with the corresponding traffic rules.
    • One channel definition is given in one <channel> tag. This tag contains parameters for a unique ID (which you should not change for existing channels) and for a name which will be displayed for this channel.
    • Within the <channel> tag, define the filter rule for this channel within the <rule> tag. The syntax to use is given in the PRTG manual.

Created on Apr 15, 2014 3:14:37 PM by  Gerald Schoch [Paessler Support]

Last change on Jan 18, 2017 12:15:42 PM by  Felix Saure [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello, We are currently using custom flows definition, but we are experiencing an anoying behavior. We've been giving a try to Netflow sensors on PRTG, which we found quite useful. But we also decided to customize it a bit using the customnetflowrules.osr definition file. This being said, it worked well, until we realized that the sensors created before using hte customflowrules.osr file was not displaying the new channels on existing netflow data, although the channel was present in the settings. Now each time we edit the customflowrules.osr, we have to re-create the netflow (v9) sensors to map the data to the edited channels. Which is very painful when runing 200+ netflow sensors. Is there any way not to recreate manually the sensors everytime we edit the custom channels? Or maybe "restarting" the channel among netflow data?

Created on Feb 9, 2016 1:37:30 PM by  prtg_pew (0) 1



Votes:

0

Your Vote:

Up

Down

Hello prtg_pew, thank you for your feedback.

When editing the flowrules.osr file, keep the channel and group IDs as they are. If you do not change the IDs, PRTG can match the channels with the configuration and historic data. If you for instance delete or rename a group existing sensors may not update those changes correctly as sensor channel's can't be modified/deleted.

You should always "experiment" by using an xFlow (Custom) sensor variant, once you're "satisfied" with your flow definition update the standard flowrules file and then deploy the final sensors, otherwise you may need to delete and re-create your flow sensors multiple times.

Best Regards,

Created on Feb 10, 2016 2:33:23 PM by  Luciano Lingnau [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello, I'm testing PRTG version 16.2.24.3791.

I'm having some issues adjusting the default xFlow and Packet Sniffer Channel Configuration for a Packet Sniffer Sensor.

First of all, i found in the default FlowRules.osr file that the channel ID for HTTPS and Citrix were the same Channel id="1023", could you please let me know if this is correct as it is said that the Channel id should be Unique.

I've created a customflowrules.osr as specified and added the following channels but after restart of the PRTG server it is not showing on the sensor, could you please help.

<!--
This file is used for the filter settings of all not custom flow sensors (Packet Sniffer, NetFlow V5 & V9, IPFIX, sFlow).
Copy this file to "CustomFlowRules.osr" to prevent the installer from overriding your changes on the next update.
Changes affect existing sensors! Check all changes in a testing environment before using productive.
Channel and group IDs should stay the same so PRTG can match the channels with the configuration and historic data.
"defaultvalue" setting for groups: 0=no 1=yes 2=detail
As with custom rule settings the channels are processed top to bottom. Specific rules should be before more general rules like the "Various" rule.
For the rule syntax check the PRTG manual.
-->
<?xml version="1.0" encoding="ISO8859-1"?>
<groups>
  <group id="3001" name="WWW">
    <caption>Web</caption>
    <help>WWW Traffic</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1001" name="HTTP">
        <rule>
            Protocol[TCP] 
               and ( SourcePort[80] or DestinationPort[80] 
                      or SourcePort[8080] or DestinationPort[8080])
          </rule>
      </channel>
      <channel id="1023" name="HTTPS">
        <rule>
            Protocol[TCP] and (SourcePort[443] or DestinationPort[443]) 
          </rule>
      </channel>
    </channels>
  </group>
  <group id="3002" name="FTP/P2P">
    <caption>File Transfer</caption>
    <help>File Transfer</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1024" name="FTP (Control)">
        <rule>
            Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21])
          </rule>
      </channel>
    </channels>
  </group>
  <group id="3003" name="Mail">
    <caption>Mail</caption>
    <help>Mail Traffic</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1006" name="IMAP">
        <rule>
            (Protocol[TCP] or Protocol[UDP]) and   ( DestinationPort[143] or SourcePort[143]  or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993]  )
          </rule>
      </channel>
      <channel id="1008" name="POP3">
        <rule>
            Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995])
          </rule>
      </channel>
      <channel id="1011" name="SMTP">
        <rule>
            Protocol[TCP] and (SourcePort[25] or DestinationPort[25] or SourcePort[587] or DestinationPort[587])
          </rule>
      </channel>
    </channels>
  </group>
  <group id="3004" name="Chat">
    <caption>Chat</caption>
    <help>Chat, Instant Messaging</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1007" name="IRC">
        <rule>
            Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667])
          </rule>
      </channel>
      <channel id="1025" name="AIM">
        <rule>
            Protocol[TCP] and (SourcePort[5190] or DestinationPort[5190]) 
      </rule>
      </channel>
    </channels>
  </group>
  <group id="3005" name="Remote Control">
    <caption>Remote Control</caption>
    <help>Remote Control</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1009" name="RDP">
        <rule>
            (Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389])
          </rule>
      </channel>
      <channel id="1014" name="SSH">
        <rule>
            Protocol[TCP] and (SourcePort[22] or DestinationPort[22])
          </rule>
      </channel>
      <channel id="1016" name="Telnet">
        <rule>
            Protocol[TCP] and (SourcePort[23] or DestinationPort[23])
          </rule>
      </channel>
      <channel id="1017" name="VNC">
        <rule>
            Protocol[TCP] and   (SourcePort[5800] or DestinationPort[5800] or    SourcePort[5900] or DestinationPort[5900])
          </rule>
      <channel id="9000" name="Dameware">
        <rule>
            Protocol[TCP] and   (SourcePort[6129] or DestinationPort[6129])
          </rule>		  
      </channel>
    </channels>
  </group>
  <group id="3007" name="Infrastructure">
    <caption>Infrastructure</caption>
    <help>Network Services</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1003" name="DHCP">
        <rule>
            Protocol[UDP]
              and ((SourcePort[68] and DestinationPort[67])
                    or (SourcePort[67] and DestinationPort[68])  )
          </rule>
      </channel>
      <channel id="1004" name="DNS">
        <rule>
            (Protocol[TCP] or Protocol[UDP]) and   (SourcePort[53] or DestinationPort[53])
          </rule>
      </channel>
      <channel id="1005" name="Ident">
        <rule>
            Protocol[TCP] and (SourcePort[113] or DestinationPort[113])
          </rule>
      </channel>
      <channel id="1018" name="ICMP">
        <rule>
            Protocol[ICMP]
          </rule>
      </channel>
      <channel id="1012" name="SNMP">
        <rule>
            Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162])
          </rule>
      </channel>
    </channels>
  </group>
  <group id="3008" name="NetBIOS">
    <caption>NetBIOS</caption>
    <help>NetBIOS</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1019" name="NETBIOS">
        <rule>
            (Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139]  OR SourcePort[137-139])
          </rule>
      </channel>
    </channels>
  </group>
  <group id="3010" name="Citrix">
    <caption>Citrix</caption>
    <help>Citrix</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1026" name="Citrix">
        <rule>
          Protocol[TCP] and (Port[1494] or Port[2598] or Port[2512])
        </rule>
      </channel>
    </channels>
  </group>
  <group id="3011" name="Voice">
    <caption>Voix</caption>
    <help>Voice</help>
    <defaultvalue>1</defaultvalue>
    <channels>
      <channel id="1026" name="SIP">
        <rule>
          Protocol[TCP] and (Port[5060])
        </rule>
      <channel id="1027" name="H323TCP">
        <rule>
          Protocol[TCP] and (Port[1720])
        </rule>
      <channel id="1028" name="H323UDP">
        <rule>
          Protocol[UDP] and (Port[1719])
        </rule>
      <channel id="1029" name="AVAYAUDP">
        <rule>
          Protocol[UDP] and (Port[2048-3329])
        </rule>
      <channel id="1030" name="AVAYATCP">
        <rule>
          Protocol[TCP] and (Port[13926])
        </rule>				
	  <channel id="1031" name="RTP">
        <rule>
          Protocol[UDP] and (Port[2048-3329] or Port[1024-65535])
        </rule>
      </channel>
    </channels>
  </group>
  
  <group id="3009" name="Various">
    <caption>Other Protocols</caption>
    <help>Various</help>
    <defaultvalue>1</defaultvalue>
    <channels>
     <channel id="1021" name="OtherUDP">
        <rule>
            Protocol[UDP]
          </rule>
      </channel>
      <channel id="1022" name="OtherTCP">
        <rule>
            Protocol[TCP]
          </rule>
      </channel>
    </channels>
  </group>
</groups>

Created on Jun 16, 2016 8:04:06 PM by  michaeljasmin (0)

Last change on Jun 17, 2016 6:07:37 AM by  Luciano Lingnau [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Please check the following:

      <channel id="1017" name="VNC">
        <rule>
            Protocol[TCP] and   (SourcePort[5800] or DestinationPort[5800] or    SourcePort[5900] or DestinationPort[5900])
          </rule>
      <channel id="9000" name="Dameware">
        <rule>
            Protocol[TCP] and   (SourcePort[6129] or DestinationPort[6129])
          </rule>		  
      </channel>

You're no closing the <channel> for id=1017. The same issue also happens a couple of times for group id="3011". You can use any XML Validator of your preference to validate the syntax of your file, it must comply to the XML syntax. Leave the "header" out when validating the XML:

<!--
This file is used for the filter settings of all not custom flow sensors (Packet Sniffer, NetFlow V5 & V9, IPFIX, sFlow).
Copy this file to "CustomFlowRules.osr" to prevent the installer from overriding your changes on the next update.
Changes affect existing sensors! Check all changes in a testing environment before using productive.
Channel and group IDs should stay the same so PRTG can match the channels with the configuration and historic data.
"defaultvalue" setting for groups: 0=no 1=yes 2=detail
As with custom rule settings the channels are processed top to bottom. Specific rules should be before more general rules like the "Various" rule.
For the rule syntax check the PRTG manual.
-->



Best Regards,
Luciano Lingnau [Paessler Support]

Created on Jun 17, 2016 8:37:42 AM by  Luciano Lingnau [Paessler Support]

Last change on Jun 17, 2016 8:37:56 AM by  Luciano Lingnau [Paessler Support]



Votes:

0

Your Vote:

Up

Down

This looks like it would be the solution we're looking for. I copied the default FlowRules to CustomFlowRules, added a few groups/channels that I need to monitor and restarted services. The content XML validates fine.

In the PRTG GUI, I can see the new channels show up in the Channel Configuration of the default NetFlow sensor and they are selected yes or detail, but only one out of the 5 or 6 new groups/channels show up in any graphs or tables. If I go to Edit Settings > Channel Settings, only the default Channels plus my one custom one show up, none of the additional groups that I added show up.

How can I get the rest of my custom Groups/channels to show up?

Thanks!

Created on Dec 20, 2016 11:01:13 PM by  mdiorio (0)



Votes:

0

Your Vote:

Up

Down

Hello there, thank you for your post.

The channels will only be created within the graphs/tables when there is data that matches the channel's definition, otherwise it is "left out".

[...]only the default Channels plus my one custom one show up

Did you take this into consideration when modifying the file:

[...]adjust default settings for the channel groups: create one channel for the whole traffic group (“Yes”), or create several channels to further divide them (“Detail”), or do not create any channel and count the traffic of this group for the default channel “Other” (“No”) by default.

Please contact us via a support ticket and share the modified customflowrules.osr file once you receive the confirmation e-mail.

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Dec 21, 2016 12:14:11 PM by  Luciano Lingnau [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.