What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

What filter rules can be used for custom Packet Sniffing, Flow, or IPFIX sensors?

Votes:

0

What is the filter rule syntax? What flow (NetFlow/sFlow/jFlow) and IPFIX filter parameters are supported by PRTG?

custom-sensor filter flow include ipfix jflow netflow packet-sniffing prtg sflow

Created on Feb 3, 2010 2:34:58 PM by Jens Rupp [Paessler Support]

Last change on Dec 2, 2021 8:02:22 AM by Maike Guba [Paessler Support] (2,404) 2 1



15 Replies

Accepted Answer

Votes:

0

This article applies as of PRTG 22

Important notice: This article is no longer kept up to date. See the PRTG Manual: Filter Rules for Flow, IPFIX and Packet Sniffer Sensors for up-to-date information.

Filter rules for custom Packet Sniffer, flow, or IPFIX sensors

Filter rules are used for the include filter, exclude filter, and channel definition fields of custom packet sniffer, NetFlow, sFlow, jFlow, and IPFIX sensors.

Filter rules are based on the following format:

field[filter]


Valid fields:

  • IP
  • Port
  • SourceIP
  • SourcePort
  • DestinationIP
  • DestinationPort
  • Protocol (values: TCP, UDP, ICMP, OSPFIGP, or any number)
  • ToS
  • DSCP


Additional Packet Sniffer fields:

  • MAC
  • SourceMAC
  • DestinationMAC
  • EtherType (values IPV4, ARP, RARP, APPLE, AARP, IPV6, IPXold, IPX, or any number)
  • VlanPCP
  • VlanID
  • TrafficClass
  • FlowLabel


Additional NetFlow v5/jFlow fields:

  • Interface
  • ASI
  • InboundInterface
  • OutboundInterface#
  • SenderIP
  • SourceASI
  • DestinationASI


Additional NetFlow v9 and IPFIX fields:

  • Interface
  • ASI
  • InboundInterface
  • OutboundInterface
  • SenderIP
  • SourceASI
  • DestinationASI
  • MAC
  • SourceMAC
  • DestinationMAC
  • Mask
  • DestinationMask
    • Masks represent subnet masks in the form of a single number (number of contiguous bits)
  • NextHop (IP address)
  • VLAN
  • SourceVLAN
  • DestinationVLAN
    • VLANs represent a VLAN identifier


Additional sFlow fields:

  • Interface
  • InboundInterface
  • OutboundInterface
  • SenderIP
  • MAC
  • SourceMAC
  • DestinationMAC


Data formats:

  • IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax (all IPv4 only), as well as DNS names.
  • Number fields support range (80-88) syntax.
  • Protocol and EtherType fields support numbers and a list of predefined constants.


Samples:

SourceIP[10.0.0.1]
SourceIP[10.*.*.*]
SourceIP[10.0.0.0/10]
DestinationIP[10.0.0.120-130]
DestinationPort[80-88]
Protocol[UDP]

Complex expressions can be created with parentheses and and, or, or and not:

Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])

More

Created on Feb 3, 2010 2:35:17 PM by Jens Rupp [Paessler Support]

Last change on Jan 5, 2023 1:54:18 PM by Brandy Greger [Paessler Support]



Votes:

0

This may be a dumb question but I want to make sure. Would

IP[192.168.0.0/20] OR IP[192.168.50.0/20]

catch packets to/from machines on the 192.168.0.0/20 and 192.168.50.0/20 ranges the same way

SourceIP[192.168.0.0/20] OR DestinationIP[192.168.0.0/20] OR SourceIP[192.168.50.0/20] OR DestinationIP[192.168.50.0/20]

does?

I'm thinking yes, but that is not actually covered in the manual as far as I can tell and I'm trying to simplify some of my packet filtering rules.

Thanks!

Created on Jan 31, 2019 6:12:50 PM

Last change on Jan 31, 2019 7:07:26 PM by Dariusz Gorka [Paessler Support]



Votes:

1

Dear SwissJay,

yes. SourceIP[x] or DestinationIP[x] is the same as IP[x].

Created on Feb 1, 2019 12:27:41 PM by Arne Seifert [Paessler Support]



Votes:

0

In ASDM i have enabled netflow on a Cisco ASA with 6 interfaces. There is nothing to specify - just the ip address, udp port nr and a flow timeout.

How do i find out what interface[x] number i have to use in the filter settings to see netflow for 1 particular interface?

Created on Feb 28, 2019 4:38:05 PM



Votes:

0

Joopv,

You would need to check the interface database on the ASA itself to get the interface ID number. This is what you can use to filter for particular interfaces with the sensor.

Let me know if you have any other questions.

Benjamin Day
Paessler Support

Created on Mar 5, 2019 2:19:00 AM by Benjamin Day [Paessler Support] (1,441) 2 1



Votes:

0

Thanks,

This is a multi-context ASA. I use the interface number as shown in the show interface detail output from the customer context:

FWA001/admin/pri/act# changeto context CUST
FWA001/CUST/pri/act# sh int


FWA001/CUST/pri/act# sh int detail
Interface outside "OUTSIDE", is up, line protocol is up
        MAC address cafe.0000.0003, MTU 1500
        IP address xx.xxx.xxx.xxx, subnet mask 255.255.255.128
  Traffic Statistics for "OUTSIDE":
        36594096995 packets input, 10412221732643 bytes
        56833897249 packets output, 20034886444477 bytes
        52327144 packets dropped
  Control Point Interface States:
        Interface number is 1
        Interface config status is active
        Interface state is active

So, i use : Interface[1] in the Include filter settings. But that does not give any output at all....

Created on Mar 25, 2019 11:25:54 AM

Last change on Mar 25, 2019 8:34:52 PM by Benjamin Day [Paessler Support] (1,441) 2 1



Votes:

0

Joopv,

Try using InboundInterface and OutboundInterface instead of just interface.

Benjamin Day
Paessler Support

Created on Mar 25, 2019 8:36:45 PM by Benjamin Day [Paessler Support] (1,441) 2 1



Votes:

0

InboundInterface[1] and OutboundInterface[1] in Include filter also does nog give any output.

Maybe i should first check the ASA netflow config completely on the CLI, instead of trusting the GUI of ASDM..

Created on Apr 3, 2019 11:07:34 AM



Votes:

0

Joopv,

Yes, and you need to confirm the interface IDs.

Can you try running the following command via the CLI on the ASA?

show snmp mib ifmib ifindex

The output should look similar to this.

YourRouter#show snmp mib ifmib ifindex
FastEthernet0/1/7: Ifindex = 10
FastEthernet0/1/5: Ifindex = 8
GigabitEthernet0/1: Ifindex = 2
Vlan2: Ifindex = 18
FastEthernet0/1/3: Ifindex = 6
FastEthernet0/1/1: Ifindex = 4
Vlan504: Ifindex = 20
GigabitEthernet0/1.1: Ifindex = 17
VoIP-Null0: Ifindex = 12
Loopback0: Ifindex = 15
Null0: Ifindex = 13
FastEthernet0/1/6: Ifindex = 9
GigabitEthernet0/0: Ifindex = 1
FastEthernet0/1/4: Ifindex = 7
Vlan1: Ifindex = 14

The Ifindex is what you want to put in the bracket.

Benjamin Day
Paessler Support

Created on Apr 3, 2019 10:57:08 PM by Benjamin Day [Paessler Support] (1,441) 2 1



Votes:

0

as far as i can see, this does not work on an ASA.

The best i can do is show snmp-server oidlist which gives:

ASA/CONTEXT/pri/act# show snmp-server oidlist

-------------------------------------------------
[0]     1.3.6.1.2.1.1.1.        sysDescr
.....
[11]    1.3.6.1.2.1.2.1.        ifNumber
[12]    1.3.6.1.2.1.2.2.1.1.    ifIndex
.....

So now i have to see that i can run a getif or snmpwalk tool to read the oid.

Created on May 2, 2019 7:34:38 PM

Last change on May 3, 2019 10:02:36 PM by Benjamin Day [Paessler Support] (1,441) 2 1



Votes:

0

Joopv,

Yes, that is what you would need to do in order to get the ifIndex number for each interface.

Benjamin Day
Paessler Support.

Created on May 3, 2019 10:03:48 PM by Benjamin Day [Paessler Support] (1,441) 2 1



Votes:

0

Hello,

is it possible to filter by Destination MAC Range?

I want do create a sFlow Sensor for Multicasting Traffic only. I'm aware of that MAC is layer2 and xFlow is layer3-based. Thanks a lot!

Kind Regards

Robert

Created on May 8, 2020 1:05:26 PM



Votes:

0

Hi Robert,

Since a MAC address is a hex format number, it's not possible to enter a range like 1-F. Instead you can use * as placeholders.

Kind regards

Felix Wiesneth - Team Tech Support

Created on May 8, 2020 7:24:16 PM by Felix Wiesneth [Paessler Support]

Last change on May 13, 2020 11:04:13 AM by Felix Wiesneth [Paessler Support]



Votes:

0

Hi Felix,

Thanks for your response. I tried, but failed...

I used the following Include-Filter: (MAC[01-00-5E-0*--] OR MAC[01-00-5E-1*--] OR MAC[01-00-5E-2*--] OR MAC[01-00-5E-3*--] OR MAC[01-00-5E-4*--] OR MAC[01-00-5E-5*--] OR MAC[01-00-5E-6*--] OR MAC[01-00-5E-7*--])

But sflow Sensor does not show any data.

A second sensor with IP based Include-Filter, does show Traffic with multicast MAC Adresses (SourceIP[224.0.0.0/4] OR DestinationIP [224.0.0.0/4])

Show DestinationMAC: 01-00-5E-7F-FF-FA

Am I doing wrong, or should it work? I guess using MAC includes Source- AND Destination-MAC?

Created on May 12, 2020 2:08:22 PM



Votes:

0

Hi Robert,

Unfortunately, I was wrong. The MAC filter doesn't support placeholders, so you'd need to enter the whole thing or filter on a different property.

Kind regards

Felix Wiesneth - Team Tech Support

Created on May 13, 2020 11:04:55 AM by Felix Wiesneth [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.