PRTG Manual: Filter Rules for xFlow, IPFIX and Packet Sniffer Sensors

Filter rules are used for the include, exclude, and channel definition fields of Packet Sniffer, xFlow, and IPFIX sensors. They are based on the following format:

field[filter]

 

 

Valid Fields for All Sensors

  • IP
    Possible values: IP address or DNS name (see Valid Data Formats below)
  • Port
    any number
  • SourceIP
    Possible values: IP address or DNS name (see Valid Data Formats below)
  • SourcePort
    any number
  • DestinationIP
    Possible values: IP address or DNS name (see Valid Data Formats below)
  • DestinationPort
    any number
  • Protocol
    Possible Protocol values: TCP, UDP, ICMP, OSPFIGP, or any number)
  • TOS
    Type Of Service (any number)
  • DSCP
    Differentiated Services Code Point (any number)
     

Additional Fields for Packet Sniffer Sensors Only

  • MAC
    physical address (see Examples below)
  • SourceMAC
    physical address
  • DestinationMAC
    physical address
  • EtherType
    Possible EtherType values: IPV4, ARP, RARP, APPLE, AARP, IPV6, IPXold, IPX, or any number
  • VlanPCP
    IEEE 802.1Q VLAN Priority Code Point
  • VlanID
    IEEE 802.1Q VLAN Identifier
  • TrafficClass
    IPv6 Traffic Class (corresponds to TOS used with IPv4)
  • FlowLabel
    IPv6 Flow Label
     

Additional Fields for NetFlow v5 and jFlow v5 Sensors Only

  • Interface
    any number
  • ASI
    any number
  • InboundInterface
    any number
  • OutboundInterface
    any number
  • SenderIP
    IP of the sending device. This is helpful if several devices send flow data on the same port, and you want to divide the traffic of each device into a different sensor channel. Possible values: IP address or DNS name (see Valid Data Formats below)
  • SourceASI
    any number
  • DestinationASI
    any number
     

Additional Fields for NetFlow v9 and IPFIX Sensors Only

  • Interface
    any number
  • ASI
    any number
  • InboundInterface
    any number
  • OutboundInterface
    any number
  • SenderIP
    IP of the sending device. This is helpful if several devices send flow data on the same port, and you want to divide the traffic of each device into a different sensor channel. Possible values: IP address or DNS name (see Valid Data Formats below)
  • SourceASI
    any number
  • DestinationASI
    any number
  • MAC
    physical address
  • SourceMAC
    physical address
  • DestinationMAC
    physical address
  • Mask
    "Mask" values represent subnet masks in the form of a single number (number of contiguous bits).
  • DestinationMask
    "Mask" values represent subnet masks in the form of a single number (number of contiguous bits).
  • NextHop (IP address)
    Possible values: IP address or DNS name (see Valid Data Formats below)
  • VLAN
    "VLAN" values represent a VLAN identifier (any number).
  • SourceVLAN
    "VLAN" values represent a VLAN identifier (any number).
  • DestinationVLAN
    "VLAN" values represent a VLAN identifier (any number).
     

Additional Fields for sFlow Sensors Only

  • Interface
    any number
  • InboundInterface
    any number
  • OutboundInterface
    any number
  • SenderIP
    IP of the sending device. This is helpful if several devices send flow data on the same port, and you want to divide the traffic of each device into a different sensor channel. Possible values: IP address or DNS name (see Valid Data Formats below)
  • MAC
    physical address
  • SourceMAC
    physical address
  • DestinationMAC
    physical address
     

Valid Data Formats

  • IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax, as well as DNS names.
  • Number fields support range (80-88) syntax.
  • Protocol and EtherType fields support numbers and a list of predefined constants.
     

For detailed information on IP ranges, please see Define IP Ranges section.

Examples

All of the following filter rules are valid examples:

SourceIP[10.0.0.1]
SourceIP[10.*.*.*]
SourceIP[10.0.0.0/10]
DestinationIP[10.0.0.120-130]
DestinationPort[80-88]
Protocol[UDP]
MAC[00-60-50-X0-00-01]
DSCP[46]

 

Complex expressions can be created using parentheses ( ) and the words and, or, or and not. For example, this is a valid filter rule:

Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])

 

Related Topics

Knowledge Base: How can I change the default groups and channels for xFlow and Packet Sniffer sensors?

 

 

Advanced Topics

Continue

Keywords: Flow,Flow Filter Rules,Packet Sniffing,Packet Sniffing Filter Rules