Netflow Various channel

Thank you for your reply. Much appreciated. Can you tell me where it logs this to the disk?

Dear denstjames

The log usually appears in C:\ProgramData\Paessler\PRTG Network Monitor\StreamLog.

Thank you

Another question. I copied the FlowRules.osr to a new file called customflowrules.osr and modified this to include the new channels as stated in the document I found online. I then saved the customflowrules.osr into the PRTG folder where the FlowRules.osr resides and rebooted my prtg server. The instructions say that it will overwrite the FlowRules.osr with the changed customflowrules.osr but it still has the original settings and obviously nothing is changed in PRTG. Is there a log or something to check why it did not overwrite this and take these changes or did I miss a step?

Here is an example of my customflowrules.osr. Really the most important one I am looking for is the SQL section but I added a few under infrastructure section as well just to test out some things since I was seeing traffic on those ports.

<!-- This file is used for the filter settings of all not custom flow sensors (Packet Sniffer, NetFlow V5 & V9, IPFIX, sFlow). Copy this file to "CustomFlowRules.osr" to prevent the installer from overriding your changes on the next update. Changes affect existing sensors! Check all changes in a testing environment before using productive. Channel and group IDs should stay the same so PRTG can match the channels with the configuration and historic data. "defaultvalue" setting for groups: 0=no 1=yes 2=detail As with custom rule settings the channels are processed top to bottom. Specific rules should be before more general rules like the "Various" rule. For the rule syntax check the PRTG manual. --> <?xml version="1.0" encoding="ISO8859-1"?> <groups> </group> <group id="2000" name="SQL"> <caption>SQL Traffic</caption> <help>SQL Traffic</help> <defaultvalue>1</defaultvalue> <channels> <channel id="2000" name="SQL"> <rule> Protocol[TCP] and (DestinationPort[1433]) </rule> </channel> </channels> </group> <group id="3001" name="WWW"> <caption>Web</caption> <help>WWW Traffic</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1001" name="HTTP"> <rule> Protocol[TCP] and ( SourcePort[80] or DestinationPort[80] or SourcePort[8080] or DestinationPort[8080]) </rule> </channel> <channel id="1023" name="HTTPS"> <rule> Protocol[TCP] and (SourcePort[443] or DestinationPort[443]) </rule> </channel> </channels> </group> <group id="3002" name="FTP/P2P"> <caption>File Transfer</caption> <help>File Transfer</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1024" name="FTP (Control)"> <rule> Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21]) </rule> </channel> </channels> </group> <group id="3003" name="Mail"> <caption>Mail</caption> <help>Mail Traffic</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1006" name="IMAP"> <rule> (Protocol[TCP] or Protocol[UDP]) and ( DestinationPort[143] or SourcePort[143] or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993] ) </rule> </channel> <channel id="1008" name="POP3"> <rule> Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995]) </rule> </channel> <channel id="1011" name="SMTP"> <rule> Protocol[TCP] and (SourcePort[25] or DestinationPort[25]) </rule> </channel> <channel id="1012" name="CAS to Mailbox Sync"> <rule> Protocol[TCP] and (DestinationPort[444] or DestinationPort[475]) </rule> </channel> </channels> </group> <group id="3004" name="Chat"> <caption>Chat</caption> <help>Chat, Instant Messaging</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1007" name="IRC"> <rule> Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667]) </rule> </channel> <channel id="1025" name="AIM"> <rule> Protocol[TCP] and (SourcePort[5190] or DestinationPort[5190]) </rule> </channel> </channels> </group> <group id="3005" name="Remote Control"> <caption>Remote Control</caption> <help>Remote Control</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1009" name="RDP"> <rule> (Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389]) </rule> </channel> <channel id="1014" name="SSH"> <rule> Protocol[TCP] and (SourcePort[22] or DestinationPort[22]) </rule> </channel> <channel id="1016" name="Telnet"> <rule> Protocol[TCP] and (SourcePort[23] or DestinationPort[23]) </rule> </channel> <channel id="1017" name="VNC"> <rule> Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900]) </rule> </channel> </channels> </group> <group id="3007" name="Infrastructure"> <caption>Infrastructure</caption> <help>Network Services</help> <defaultvalue>2</defaultvalue> <channels> <channel id="1003" name="DHCP"> <rule> Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68]) ) </rule> </channel> <channel id="1004" name="DNS"> <rule> (Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53]) </rule> </channel> <channel id="1005" name="Ident"> <rule> Protocol[TCP] and (SourcePort[113] or DestinationPort[113]) </rule> </channel> <channel id="1018" name="ICMP"> <rule> Protocol[ICMP] </rule> </channel> <channel id="1012" name="SNMP"> <rule> Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162]) </rule> </channel> <channel id="1013" name="SMB Shares"> <rule> Protocol[TCP] and (DestinationPort[445]) </rule> </channel> <channel id="1014" name="SYSLOG"> <rule> Protocol[UDP] and (DestinationPort[514]) </rule> </channel> <channel id="1015" name="LDAP"> <rule> Protocol[UDP] and (DestinationPort[636]) </rule> </channel> </channels> <channel id="1016" name="SSH"> <rule> Protocol[TCP] and (DestinationPort[22]) </rule> </channel> </group> <group id="3008" name="NetBIOS"> <caption>NetBIOS</caption> <help>NetBIOS</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1019" name="NETBIOS"> <rule> (Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139] OR SourcePort[137-139]) </rule> </channel> </channels> </group> <group id="3010" name="Citrix"> <caption>Citrix</caption> <help>Citrix</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1026" name="Citrix"> <rule> Protocol[TCP] and (Port[1494] or Port[2598] or Port[2512]) </rule> </channel> </channels> </group>

<group id="3009" name="Various"> <caption>Other Protocols</caption> <help>Various</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1021" name="OtherUDP"> <rule> Protocol[UDP] </rule> </channel> <channel id="1022" name="OtherTCP"> <rule> Protocol[TCP] </rule> </channel> </channels> </group> </groups>

Dear denstjames

New channels only appear if you also create the flow sensor anew.

Is PRTG planning to make this data available in the user interface, make it possible to dig deeper? The fact that we cannot see the detailed traffic that is in a channel is making this sensor, well not useless but really limited.

As the first poster mentioned it is easy to see in Solardwinds and other products. Running a log file and searching through it makes no sense as we cannot predict when the issue that will need further analysis will arise. As mentioned leaving the log activated is not recommended.

Should we separate every flow in a different group in the .osr file and not use sub channels to have a specific view of some trafic? This also implies that we taught in advance what will need debugging.

Is there any viable options to be able to check some specific things and dig deeper after the fact in NetFlow data instead of just having summarized info?

Hello,

flow storage comes with quite some performance impact. We develop PRTG as traditional Network Monitor, focusing mostly on overall bandwidth, and on the status of network hardware.

For specialized tasks, other products are available, like Scrutinizer in order to inspect traffic based on flows.