What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

ipfix sensor only return ohter protocol

Votes:

0

Hello, I configure IPFIX sensor for my firewall, i receive data from the sensor but it only shows 'other' protocol. then trie to configure channel:

  1. 1:DNS Protocol[UDP] and DestinationPort[53]
  1. 2:WWW Protocol[TCP] and (DestinationPort[80] or DestinationPort[443])

it is the same. For information i have in log data netflow rejected (code : PE082), trie to change the active flow time but no changes. I tested with NF9_test, and i see flows and templates.

English isn’t my first language, so please excuse any mistakes.

Pierre-Henri

custom-sensor ipfix prtg

Created on Mar 21, 2017 9:37:18 AM



Best Answer

Accepted Answer

Votes:

0

Dear Pierre-Henri

An example IPFIX packet from your log is:

ID:257 - 10.0.0.200:57524->10.0.0.231:161 E:2 EE:0 P:0 IF/OF:5/7 19:28:00 0

The part P:0 indicates that the traffic is neither UDP (P:6) nor TCP (P:17). Because of this, all this traffic appears in the "Other" channel.

Created on Mar 22, 2017 4:22:40 PM by Arne Seifert [Paessler Support]

Last change on Mar 22, 2017 5:05:29 PM by Arne Seifert [Paessler Support]



6 Replies

Votes:

0

Dear Pierre-Henri

Please pause all IPFIX sensors using that port. Then please use the Netflow 9 tester (which also decodes IPFIX). The tester shows step by step the decode process. Can you see now why you get "Other" traffic only?

Created on Mar 22, 2017 2:47:04 PM by Arne Seifert [Paessler Support]



Votes:

0

Hello, I have only 1 ipfix sensor (lab environment), i pause my sensor, I see the source 'active' No results in 'unassigned flow'

Templates 261: 148(8) 346(4) 32778(2) 32779(65535) 260: 148(8) 346(4) 32769(4) 32771(4) 32772(1) 32773(65535) 259: 1(8) 2(8) 4(1) 5(1) 61(1) 233(1) 6(2) 7(2) 27(16) 10(4) 11(2) 28(16) 14(4) 21(4) 22(4) 96(65535) 148(8) 371(65535) 257: 1(8) 2(8) 4(1) 5(1) 61(1) 233(1) 6(2) 7(2) 8(4) 10(4) 11(2) 12(4) 14(4) 21(4) 22(4) 96(65535) 148(8) 371(65535) 258: 1(8) 2(8) 4(1) 5(1) 61(1) 233(1) 6(2) 7(2) 8(4) 10(4) 11(2) 12(4) 14(4) 21(4) 22(4) 96(65535) 148(8) 225(4) 226(4) 227(2) 228(2) 371(65535)

Decoded flows: ID:257 - 10.0.0.200:57524->10.0.0.231:161 E:2 EE:0 P:0 IF/OF:5/7 19:28:00 0 ID:258 - 10.0.0.200:64711->208.67.222.222:53 E:1 EE:0 P:0 IF/OF:5/4 15:24:39 76 ID:258 - 10.0.0.200:59867->193.242.174.1:80 E:5 EE:0 P:0 IF/OF:5/4 15:23:51 80 ID:258 - 10.0.0.18:51419->77.75.59.41:80 E:5 EE:0 P:0 IF/OF:5/4 15:11:13 80 ID:258 - 10.0.0.18:51423->77.75.59.41:80 E:1 EE:0 P:0 IF/OF:5/4 09:37:52 821 ID:258 - 10.0.0.18:51316->216.58.198.195:443 E:5 EE:0 P:0 IF/OF:5/4 22:41:03 126 ID:258 - 10.0.0.18:51420->77.75.59.41:80 E:5 EE:0 P:0 IF/OF:5/4 14:53:46 80 ID:258 - 10.0.0.18:51424->77.75.59.41:80 E:1 EE:0 P:0 IF/OF:5/4 09:20:27 852 ID:257 - 10.0.0.200:57525->10.0.0.231:161 E:2 EE:0 P:0 IF/OF:5/7 18:04:45 0 ID:258 - 10.0.0.18:51323->192.0.73.2:443 E:2 EE:0 P:0 IF/OF:5/4 21:50:39 40 ID:258 - 10.0.0.18:51430->54.192.203.241:80 E:1 EE:0 P:0 IF/OF:5/4 08:43:25 433 ID:258 - 10.0.0.18:51326->216.58.198.200:443 E:2 EE:0 P:0 IF/OF:5/4 21:48:13 0 ID:258 - 10.0.0.18:51408->91.209.107.44:443 E:5 EE:0 P:0 IF/OF:5/4 19:28:21 40 ID:258 - 10.0.0.20:123->40.118.106.130:123 E:2 EE:0 P:0 IF/OF:7/4 17:12:16 0 ID:258 - 10.0.0.18:51431->193.252.23.65:110 E:2 EE:0 P:0 IF/OF:5/4 07:01:28 416 ID:258 - 10.0.0.18:51421->77.75.59.41:80 E:5 EE:0 P:0 IF/OF:5/4 12:24:40 80 ID:258 - 10.0.0.18:51432->77.75.59.41:80 E:1 EE:0 P:0 IF/OF:5/4 06:51:21 821 ID:258 - 10.0.0.18:51422->77.75.59.41:80 E:5 EE:0 P:0 IF/OF:5/4 12:07:18 80 ID:258 - 10.0.0.18:51433->77.75.59.41:80 E:1 EE:0 P:0 IF/OF:5/4 06:33:55 852 ID:257 - 10.0.0.18:51110->10.0.0.254:4430 E:5 EE:0 P:0 IF/OF:5/5 14:16:47 829

Is there something wrong with the last part of the decoded flows (time) ?

Created on Mar 22, 2017 3:10:11 PM



Accepted Answer

Votes:

0

Dear Pierre-Henri

An example IPFIX packet from your log is:

ID:257 - 10.0.0.200:57524->10.0.0.231:161 E:2 EE:0 P:0 IF/OF:5/7 19:28:00 0

The part P:0 indicates that the traffic is neither UDP (P:6) nor TCP (P:17). Because of this, all this traffic appears in the "Other" channel.

Created on Mar 22, 2017 4:22:40 PM by Arne Seifert [Paessler Support]

Last change on Mar 22, 2017 5:05:29 PM by Arne Seifert [Paessler Support]



Votes:

0

Thanks for your time and very quick answers I will investigate more with the firewall vendor Is there more i can do with prtg ?

Created on Mar 22, 2017 4:38:11 PM



Votes:

0

Dear Pierre-Henri

Regarding flow or packet header analysis, PRTG can only apply pre-defined filters, so you cannot break down measured traffic retroactively.

If your question is about the scope of PRTG in general, you can do a lot more than bandwidth monitoring. You can check the availability of devices, the free space on harddrives, the loading time of HTTP resources and more.

Created on Mar 22, 2017 5:07:46 PM by Arne Seifert [Paessler Support]



Votes:

0

My question was about the pre-defined filters, i am in test environment.

I continue my testing of PRTG, already configure http sensors, snmp and devices availability.

Thanks again for your very quick and clear answers

Created on Mar 22, 2017 5:18:53 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.