PRTG Manual: Filter Rules for xFlow and Packet Sniffer Sensors

Filter rules are used for the include, exclude and channel definition fields of Custom Packet Sniffer and Custom xFlow sensors. They are based on the following format:

field[filter]

 

Valid Fields for All Sensors

  • IP
    Possible values: IP address or DNS name (see Valid Data Formats below)
  • Port
  • SourceIP
    Possible values: IP address or DNS name (see Valid Data Formats below)
  • SourcePort
  • DestinationIP
    Possible values: IP address or DNS name (see Valid Data Formats below)
  • DestinationPort
  • Protocol
    Possible Protocol values: TCP, UDP, ICMP, OSPFIGP, or any number)
  • ToS
     

Additional Fields for Packet Sniffer Sensors Only

  • MAC
  • SourceMAC
  • DestinationMAC
  • EtherType
    Possible EtherType values: IPV4, ARP, RARP, APPLE, AARP, IPV6, IPXold, IPX, or any number
  • VlanPCP
    IEEE 802.1Q VLAN Priority Code Point
  • VlanID
    IEEE 802.1Q VLAN Identifier
  • TrafficClass
    IPv6 Traffic Class (corresponds to TOS used with IPv4)
  • FlowLabel
    IPv6 Flow Label
     

Additional Fields for NetFlow v5 and jFlow v5 Sensors Only

  • Interface
  • ASI
  • InboundInterface
  • OutboundInterface
  • SenderIP
    IP of the sending device. This is helpful if several devices send flow data on the same port, and you want to divide the traffic of each device into a different sensor channel. Possible values: IP address or DNS name (see Valid Data Formats below)
  • SourceASI
  • DestinationASI
     

Additional Fields for xFlow v9 Sensors Only

  • Interface
  • ASI
  • InboundInterface
  • OutboundInterface
  • SenderIP
    IP of the sending device. This is helpful if several devices send flow data on the same port, and you want to divide the traffic of each device into a different sensor channel. Possible values: IP address or DNS name (see Valid Data Formats below)
  • SourceASI
  • DestinationASI
  • MAC
  • SourceMAC
  • DestinationMAC
  • Mask
  • DestinationMask
    Note: "Mask" values represent subnet masks in the form of a single number (number of contiguous bits).
  • NextHop (IP address)
    Possible values: IP address or DNS name (see Valid Data Formats below)
  • VLAN
  • SourceVLAN
  • DestinationVLAN
    Note: "VLAN" valuesrepresent a VLAN identifier.
     

Additional Fields for sFlow Sensors Only

  • Interface
  • InboundInterface
  • OutboundInterface
  • SenderIP
    IP of the sending device. This is helpful if several devices send flow data on the same port, and you want to divide the traffic of each device into a different sensor channel. Possible values: IP address or DNS name (see Valid Data Formats below)
  • MAC
  • SourceMAC
  • DestinationMAC
     

Valid Data Formats

  • IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax, as well as DNS names.
  • Number fields support range (80-88) syntax.
  • Protocol and EtherType fields support numbers and a list of predefined constants.
     

For detailed information on IP ranges, please see Define IP Ranges section.

Examples

All of the following filter rules are valid examples:

SourceIP[10.0.0.1]
SourceIP[10.*.*.*]
SourceIP[10.0.0.0/10]
DestinationIP[10.0.0.120-130]
DestinationPort[80-88]
Protocol[UDP]

 

Complex expressions can be created using parentheses ( ) and the words and, or, or not. For example, this is a valid filter rule:

Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])

 

Related Topics

Continue

Keywords: Flow,Flow Filter Rules,Packet Sniffing,Packet Sniffing Filter Rules

Help
Need More Help?

Go to the Help Center.

Update Available Click here to install the lastest update
  FEEDBACK Click here to send feedback to Paessler