New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


ipfix sensor only return ohter protocol

Votes:

0

Your Vote:

Up

Down

Hello, I configure IPFIX sensor for my firewall, i receive data from the sensor but it only shows 'other' protocol. then trie to configure channel:

  1. 1:DNS Protocol[UDP] and DestinationPort[53]
  1. 2:WWW Protocol[TCP] and (DestinationPort[80] or DestinationPort[443])

it is the same. For information i have in log data netflow rejected (code : PE082), trie to change the active flow time but no changes. I tested with NF9_test, and i see flows and templates.

English isn’t my first language, so please excuse any mistakes.

Pierre-Henri

custom-sensor ipfix prtg

Created on Mar 21, 2017 9:37:18 AM by  Pierre-Henri ROCHE (0) 1



Best Answer

Accepted Answer

Votes:

0

Your Vote:

Up

Down

Dear Pierre-Henri

An example IPFIX packet from your log is:

ID:257 - 10.0.0.200:57524->10.0.0.231:161 E:2 EE:0 P:0 IF/OF:5/7 19:28:00 0

The part P:0 indicates that the traffic is neither UDP (P:6) nor TCP (P:17). Because of this, all this traffic appears in the "Other" channel.

Created on Mar 22, 2017 4:22:40 PM by  Arne Seifert [Paessler Support]

Last change on Mar 22, 2017 5:05:29 PM by  Arne Seifert [Paessler Support]



6 Replies

Votes:

0

Your Vote:

Up

Down

Dear Pierre-Henri

Please pause all IPFIX sensors using that port. Then please use the Netflow 9 tester (which also decodes IPFIX). The tester shows step by step the decode process. Can you see now why you get "Other" traffic only?

Created on Mar 22, 2017 2:47:04 PM by  Arne Seifert [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello, I have only 1 ipfix sensor (lab environment), i pause my sensor, I see the source 'active' No results in 'unassigned flow'

Templates 261: 148(8) 346(4) 32778(2) 32779(65535) 260: 148(8) 346(4) 32769(4) 32771(4) 32772(1) 32773(65535) 259: 1(8) 2(8) 4(1) 5(1) 61(1) 233(1) 6(2) 7(2) 27(16) 10(4) 11(2) 28(16) 14(4) 21(4) 22(4) 96(65535) 148(8) 371(65535) 257: 1(8) 2(8) 4(1) 5(1) 61(1) 233(1) 6(2) 7(2) 8(4) 10(4) 11(2) 12(4) 14(4) 21(4) 22(4) 96(65535) 148(8) 371(65535) 258: 1(8) 2(8) 4(1) 5(1) 61(1) 233(1) 6(2) 7(2) 8(4) 10(4) 11(2) 12(4) 14(4) 21(4) 22(4) 96(65535) 148(8) 225(4) 226(4) 227(2) 228(2) 371(65535)

Decoded flows: ID:257 - 10.0.0.200:57524->10.0.0.231:161 E:2 EE:0 P:0 IF/OF:5/7 19:28:00 0 ID:258 - 10.0.0.200:64711->208.67.222.222:53 E:1 EE:0 P:0 IF/OF:5/4 15:24:39 76 ID:258 - 10.0.0.200:59867->193.242.174.1:80 E:5 EE:0 P:0 IF/OF:5/4 15:23:51 80 ID:258 - 10.0.0.18:51419->77.75.59.41:80 E:5 EE:0 P:0 IF/OF:5/4 15:11:13 80 ID:258 - 10.0.0.18:51423->77.75.59.41:80 E:1 EE:0 P:0 IF/OF:5/4 09:37:52 821 ID:258 - 10.0.0.18:51316->216.58.198.195:443 E:5 EE:0 P:0 IF/OF:5/4 22:41:03 126 ID:258 - 10.0.0.18:51420->77.75.59.41:80 E:5 EE:0 P:0 IF/OF:5/4 14:53:46 80 ID:258 - 10.0.0.18:51424->77.75.59.41:80 E:1 EE:0 P:0 IF/OF:5/4 09:20:27 852 ID:257 - 10.0.0.200:57525->10.0.0.231:161 E:2 EE:0 P:0 IF/OF:5/7 18:04:45 0 ID:258 - 10.0.0.18:51323->192.0.73.2:443 E:2 EE:0 P:0 IF/OF:5/4 21:50:39 40 ID:258 - 10.0.0.18:51430->54.192.203.241:80 E:1 EE:0 P:0 IF/OF:5/4 08:43:25 433 ID:258 - 10.0.0.18:51326->216.58.198.200:443 E:2 EE:0 P:0 IF/OF:5/4 21:48:13 0 ID:258 - 10.0.0.18:51408->91.209.107.44:443 E:5 EE:0 P:0 IF/OF:5/4 19:28:21 40 ID:258 - 10.0.0.20:123->40.118.106.130:123 E:2 EE:0 P:0 IF/OF:7/4 17:12:16 0 ID:258 - 10.0.0.18:51431->193.252.23.65:110 E:2 EE:0 P:0 IF/OF:5/4 07:01:28 416 ID:258 - 10.0.0.18:51421->77.75.59.41:80 E:5 EE:0 P:0 IF/OF:5/4 12:24:40 80 ID:258 - 10.0.0.18:51432->77.75.59.41:80 E:1 EE:0 P:0 IF/OF:5/4 06:51:21 821 ID:258 - 10.0.0.18:51422->77.75.59.41:80 E:5 EE:0 P:0 IF/OF:5/4 12:07:18 80 ID:258 - 10.0.0.18:51433->77.75.59.41:80 E:1 EE:0 P:0 IF/OF:5/4 06:33:55 852 ID:257 - 10.0.0.18:51110->10.0.0.254:4430 E:5 EE:0 P:0 IF/OF:5/5 14:16:47 829

Is there something wrong with the last part of the decoded flows (time) ?

Created on Mar 22, 2017 3:10:11 PM by  Pierre-Henri ROCHE (0) 1



Accepted Answer

Votes:

0

Your Vote:

Up

Down

Dear Pierre-Henri

An example IPFIX packet from your log is:

ID:257 - 10.0.0.200:57524->10.0.0.231:161 E:2 EE:0 P:0 IF/OF:5/7 19:28:00 0

The part P:0 indicates that the traffic is neither UDP (P:6) nor TCP (P:17). Because of this, all this traffic appears in the "Other" channel.

Created on Mar 22, 2017 4:22:40 PM by  Arne Seifert [Paessler Support]

Last change on Mar 22, 2017 5:05:29 PM by  Arne Seifert [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Thanks for your time and very quick answers I will investigate more with the firewall vendor Is there more i can do with prtg ?

Created on Mar 22, 2017 4:38:11 PM by  Pierre-Henri ROCHE (0) 1



Votes:

0

Your Vote:

Up

Down

Dear Pierre-Henri

Regarding flow or packet header analysis, PRTG can only apply pre-defined filters, so you cannot break down measured traffic retroactively.

If your question is about the scope of PRTG in general, you can do a lot more than bandwidth monitoring. You can check the availability of devices, the free space on harddrives, the loading time of HTTP resources and more.

Created on Mar 22, 2017 5:07:46 PM by  Arne Seifert [Paessler Support]



Votes:

0

Your Vote:

Up

Down

My question was about the pre-defined filters, i am in test environment.

I continue my testing of PRTG, already configure http sensors, snmp and devices availability.

Thanks again for your very quick and clear answers

Created on Mar 22, 2017 5:18:53 PM by  Pierre-Henri ROCHE (0) 1



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.