What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Netflow Various channel

Votes:

0

I have netflow configured and I found documentation to add a new channel. About 90% of the traffic I am trying to monitor is going into the various channel. I need to break this out and add more channels but I am not sure what this traffic is. Where in PRTG can you see the breakdown of all the ports its monitoring. I have used solarwinds in the past and I know its easy to figure this out there but I do not see any options in PRTG to let me expand the various channel and see what ports this is seeing.

Thanks

channel netflow prtg

Created on Jan 17, 2017 6:06:27 PM



8 Replies

Accepted Answer

Votes:

0

Dear denstjames

The sensor interface does not allow to dig deeper into those flows, but you can enable stream logging in the sensor options and review the log file. Please don't leave this option enabled for too long, as it impacts the performance and fills your hard-drive fast.

Created on Jan 17, 2017 7:44:57 PM by  Arne Seifert [Paessler Support]



Votes:

0

Thank you for your reply. Much appreciated. Can you tell me where it logs this to the disk?

Created on Jan 17, 2017 7:47:30 PM



Votes:

0

Dear denstjames

The log usually appears in C:\ProgramData\Paessler\PRTG Network Monitor\StreamLog.

Created on Jan 17, 2017 10:02:23 PM by  Arne Seifert [Paessler Support]



Votes:

0

Thank you

Created on Jan 18, 2017 12:43:55 PM



Votes:

0

Another question. I copied the FlowRules.osr to a new file called customflowrules.osr and modified this to include the new channels as stated in the document I found online. I then saved the customflowrules.osr into the PRTG folder where the FlowRules.osr resides and rebooted my prtg server. The instructions say that it will overwrite the FlowRules.osr with the changed customflowrules.osr but it still has the original settings and obviously nothing is changed in PRTG. Is there a log or something to check why it did not overwrite this and take these changes or did I miss a step?

Here is an example of my customflowrules.osr. Really the most important one I am looking for is the SQL section but I added a few under infrastructure section as well just to test out some things since I was seeing traffic on those ports.

<!-- This file is used for the filter settings of all not custom flow sensors (Packet Sniffer, NetFlow V5 & V9, IPFIX, sFlow). Copy this file to "CustomFlowRules.osr" to prevent the installer from overriding your changes on the next update. Changes affect existing sensors! Check all changes in a testing environment before using productive. Channel and group IDs should stay the same so PRTG can match the channels with the configuration and historic data. "defaultvalue" setting for groups: 0=no 1=yes 2=detail As with custom rule settings the channels are processed top to bottom. Specific rules should be before more general rules like the "Various" rule. For the rule syntax check the PRTG manual. --> <?xml version="1.0" encoding="ISO8859-1"?> <groups> </group> <group id="2000" name="SQL"> <caption>SQL Traffic</caption> <help>SQL Traffic</help> <defaultvalue>1</defaultvalue> <channels> <channel id="2000" name="SQL"> <rule> Protocol[TCP] and (DestinationPort[1433]) </rule> </channel> </channels> </group> <group id="3001" name="WWW"> <caption>Web</caption> <help>WWW Traffic</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1001" name="HTTP"> <rule> Protocol[TCP] and ( SourcePort[80] or DestinationPort[80] or SourcePort[8080] or DestinationPort[8080]) </rule> </channel> <channel id="1023" name="HTTPS"> <rule> Protocol[TCP] and (SourcePort[443] or DestinationPort[443]) </rule> </channel> </channels> </group> <group id="3002" name="FTP/P2P"> <caption>File Transfer</caption> <help>File Transfer</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1024" name="FTP (Control)"> <rule> Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21]) </rule> </channel> </channels> </group> <group id="3003" name="Mail"> <caption>Mail</caption> <help>Mail Traffic</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1006" name="IMAP"> <rule> (Protocol[TCP] or Protocol[UDP]) and ( DestinationPort[143] or SourcePort[143] or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993] ) </rule> </channel> <channel id="1008" name="POP3"> <rule> Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995]) </rule> </channel> <channel id="1011" name="SMTP"> <rule> Protocol[TCP] and (SourcePort[25] or DestinationPort[25]) </rule> </channel> <channel id="1012" name="CAS to Mailbox Sync"> <rule> Protocol[TCP] and (DestinationPort[444] or DestinationPort[475]) </rule> </channel> </channels> </group> <group id="3004" name="Chat"> <caption>Chat</caption> <help>Chat, Instant Messaging</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1007" name="IRC"> <rule> Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667]) </rule> </channel> <channel id="1025" name="AIM"> <rule> Protocol[TCP] and (SourcePort[5190] or DestinationPort[5190]) </rule> </channel> </channels> </group> <group id="3005" name="Remote Control"> <caption>Remote Control</caption> <help>Remote Control</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1009" name="RDP"> <rule> (Protocol[TCP] or Protocol[UDP]) and (SourcePort[3389] or DestinationPort[3389]) </rule> </channel> <channel id="1014" name="SSH"> <rule> Protocol[TCP] and (SourcePort[22] or DestinationPort[22]) </rule> </channel> <channel id="1016" name="Telnet"> <rule> Protocol[TCP] and (SourcePort[23] or DestinationPort[23]) </rule> </channel> <channel id="1017" name="VNC"> <rule> Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900]) </rule> </channel> </channels> </group> <group id="3007" name="Infrastructure"> <caption>Infrastructure</caption> <help>Network Services</help> <defaultvalue>2</defaultvalue> <channels> <channel id="1003" name="DHCP"> <rule> Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68]) ) </rule> </channel> <channel id="1004" name="DNS"> <rule> (Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53]) </rule> </channel> <channel id="1005" name="Ident"> <rule> Protocol[TCP] and (SourcePort[113] or DestinationPort[113]) </rule> </channel> <channel id="1018" name="ICMP"> <rule> Protocol[ICMP] </rule> </channel> <channel id="1012" name="SNMP"> <rule> Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162]) </rule> </channel> <channel id="1013" name="SMB Shares"> <rule> Protocol[TCP] and (DestinationPort[445]) </rule> </channel> <channel id="1014" name="SYSLOG"> <rule> Protocol[UDP] and (DestinationPort[514]) </rule> </channel> <channel id="1015" name="LDAP"> <rule> Protocol[UDP] and (DestinationPort[636]) </rule> </channel> </channels> <channel id="1016" name="SSH"> <rule> Protocol[TCP] and (DestinationPort[22]) </rule> </channel> </group> <group id="3008" name="NetBIOS"> <caption>NetBIOS</caption> <help>NetBIOS</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1019" name="NETBIOS"> <rule> (Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139] OR SourcePort[137-139]) </rule> </channel> </channels> </group> <group id="3010" name="Citrix"> <caption>Citrix</caption> <help>Citrix</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1026" name="Citrix"> <rule> Protocol[TCP] and (Port[1494] or Port[2598] or Port[2512]) </rule> </channel> </channels> </group>

<group id="3009" name="Various"> <caption>Other Protocols</caption> <help>Various</help> <defaultvalue>1</defaultvalue> <channels> <channel id="1021" name="OtherUDP"> <rule> Protocol[UDP] </rule> </channel> <channel id="1022" name="OtherTCP"> <rule> Protocol[TCP] </rule> </channel> </channels> </group> </groups>

Created on Jan 18, 2017 8:01:42 PM



Votes:

0

Dear denstjames

New channels only appear if you also create the flow sensor anew.

Created on Jan 19, 2017 2:17:59 PM by  Arne Seifert [Paessler Support]



Votes:

0

Is PRTG planning to make this data available in the user interface, make it possible to dig deeper? The fact that we cannot see the detailed traffic that is in a channel is making this sensor, well not useless but really limited.

As the first poster mentioned it is easy to see in Solardwinds and other products. Running a log file and searching through it makes no sense as we cannot predict when the issue that will need further analysis will arise. As mentioned leaving the log activated is not recommended.

Should we separate every flow in a different group in the .osr file and not use sub channels to have a specific view of some trafic? This also implies that we taught in advance what will need debugging.

Is there any viable options to be able to check some specific things and dig deeper after the fact in NetFlow data instead of just having summarized info?

Created on Oct 8, 2020 9:38:29 PM



Votes:

1

Hello,

flow storage comes with quite some performance impact. We develop PRTG as traditional Network Monitor, focusing mostly on overall bandwidth, and on the status of network hardware.

For specialized tasks, other products are available, like Scrutinizer in order to inspect traffic based on flows.

Created on Oct 9, 2020 9:23:14 AM by  Arne Seifert [Paessler Support]

Last change on Oct 9, 2020 9:24:04 AM by  Arne Seifert [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.