<%NUMBERING1%>.<%NUMBERING2%>.<%NUMBERING3%> PRTG Manual: Filter Rules for xFlow, IPFIX, and Packet Sniffer Sensors

You can use filter rules for the Include Filter, Exclude Filter, and Channel Definition fields of Packet Sniffer, xFlow, and IPFIX sensors. The filter rules are based on the following format:

field[filter]

In this section:

Valid Fields for All Sensors

Field

Possible Filter Values

IP

IP address or Domain Name System (DNS) name (see Valid Data Formats)

Port

Any number

SourceIP

IP address or DNS name (see Valid Data Formats)

SourcePort

Any number

DestinationIP

IP address or DNS name (see Valid Data Formats)

DestinationPort

Any number

Protocol

Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), Open Shortest Path First (OSPF), any number

ToS

Type of Service (ToS): any number

DSCP

Differentiated Services Code Point (DSCP): any number

Additional Fields for Packet Sniffer Sensors Only

Field

Possible Filter Values

MAC

Physical address (see Examples)

SourceMAC

Physical address

DestinationMAC

Physical address

EtherType

IPV4, ARP, RARP, APPLE, AARP, IPV6, IPXold, IPX, any number

VlanPCP

IEEE 802.1Q VLAN Priority Code Point

VlanID

IEEE 802.1Q VLAN Identifier

TrafficClass

IPv6 Traffic Class: corresponds to TOS used with IPv4

FlowLabel

IPv6 Flow Label

Additional Fields for NetFlow v5 and jFlow v5 Sensors Only

Field

Possible Filter Values

Interface

Any number

ASI

Any number

InboundInterface

Any number

OutboundInterface

Any number

SenderIP

IP of the sending device. Use this if you have several devices that send flow data on the same port, and you want to divide the traffic of each device into a different channel.

Possible values: IP address or DNS name (see Valid Data Formats)

SourceASI

Any number

DestinationASI

Any number

Additional Fields for NetFlow v9 and IPFIX Sensors Only

Field

Possible Filter Values

Interface

Any number

ASI

Any number

InboundInterface

Any number

OutboundInterface

Any number

SenderIP

IP of the sending device. Use this if you have several devices that send flow data on the same port, and you want to divide the traffic of each device into a different channel.

Possible values: IP address or DNS name (see Valid Data Formats)

SourceASI

Any number

DestinationASI

Any number

MAC

Physical address

SourceMAC

Physical address

DestinationMAC

Physical address

Mask

Mask values represent subnet masks in the form of a single number (number of contiguous bits).

DestinationMask

Mask values represent subnet masks in the form of a single number (number of contiguous bits).

NextHop

IP address or DNS name (see Valid Data Formats)

VLAN

VLAN values represent a VLAN identifier (any number)

SourceVLAN

VLAN values represent a VLAN identifier (any number)

DestinationVLAN

VLAN values represent a VLAN identifier (any number)

Additional Fields for sFlow Sensors Only

Field

Possible Filter Values

Interface

Any number

InboundInterface

Any number

OutboundInterface

Any number

SenderIP

IP of the sending device. Use this if you have several devices that send flow data on the same port, and you want to divide the traffic of each device into a different channel.

Possible values: IP address or DNS name (see Valid Data Formats)

MAC

Physical address

SourceMAC

Physical address

DestinationMAC

Physical address

Valid Data Formats

  • IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax, as well as DNS names.
    icon-i-round-redIPv6 wildcards, IPv6 ranges, and IPv6 hostmasks are not supported.
  • Number fields support range (80-88) syntax.
  • Protocol and EtherType fields support numbers and a list of predefined constants.

icon-square-cyanFor detailed information on IP ranges, see section Define IP Ranges.

Examples

All of the following filter rules are valid examples:

SourceIP[10.0.0.1]
SourceIP[10.*.*.*]
SourceIP[10.0.0.0/10]
DestinationIP[10.0.0.120-130]
DestinationPort[80-88]
Protocol[UDP]
MAC[00-60-50-X0-00-01]
DSCP[46]

You can create more complex expressions using parentheses ( ) and the words and, or, or and not. For example, these are valid filter rules:

Protocol[TCP] and DestinationIP[10.0.0.1]

This rule filters for all TCP traffic with the destination IP 10.0.0.1.

Protocol[TCP] or DestinationIP[10.0.0.1]

This rule filters for all TCP traffic and all traffic with the destination IP 10.0.0.1.

Protocol[TCP] and (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])

This rule filters for all TCP traffic with either the destination IP 10.0.0.1 or the source IP range 10.0.0.120-130.

Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])

This rule filters for all TCP traffic that does not have the destination IP 10.0.0.1 and the source IP range 10.0.0.120-130.

More

icon-square-bluePRTG MANUAL

 

icon-square-blueKNOWLEDGE BASE

How can I change the default groups and channels for xFlow and Packet Sniffer sensors?

Advanced Topics