PRTG Manual: Filter Rules for Flow, IPFIX, and Packet Sniffer Sensors
You can use filter rules for the Include Filter, Exclude Filter, and Channel Definition fields of packet sniffer, flow, and IPFIX sensors. The filter rules are based on the following format:
field[filter]
In this section:
- Valid Fields for All Sensors
- Additional Fields for Packet Sniffer Sensors Only
- Additional Fields for NetFlow v5 and jFlow v5 Sensors Only
- Additional Fields for NetFlow v9 and IPFIX Sensors Only
- Additional Fields for sFlow Sensors Only
- Valid Data Formats
- Examples
Field |
Possible Filter Values |
---|---|
IP |
IP address or Domain Name System (DNS) name For more information, see section Valid Data Formats. |
Port |
Any number |
SourceIP |
IP address or DNS name |
SourcePort |
Any number |
DestinationIP |
IP address or DNS name |
DestinationPort |
Any number |
Protocol |
Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), Open Shortest Path First (OSPF), any number |
ToS |
Type of Service (ToS): any number |
DSCP |
Differentiated Services Code Point (DSCP): any number |
Additional Fields for Packet Sniffer Sensors Only
Field |
Possible Filter Values |
---|---|
MAC |
Physical address For more information, see section Examples. |
SourceMAC |
Physical address |
DestinationMAC |
Physical address |
EtherType |
IPV4, ARP, RARP, APPLE, AARP, IPV6, IPXold, IPX, any number |
VlanPCP |
IEEE 802.1Q VLAN Priority Code Point |
VlanID |
IEEE 802.1Q VLAN Identifier |
TrafficClass |
IPv6 Traffic Class: corresponds to TOS used with IPv4 |
FlowLabel |
IPv6 Flow Label |
Additional Fields for NetFlow v5 and jFlow v5 Sensors Only
Field |
Possible Filter Values |
---|---|
Interface |
Any number |
ASI |
Any number |
InboundInterface |
Any number |
OutboundInterface |
Any number |
SenderIP |
IP address of the sending device. Use this if you have several devices that send flow data on the same port, and you want to divide the traffic of each device into a different channel. Possible values: IP address or DNS name For more information, see section Valid Data Formats. |
SourceASI |
Any number |
DestinationASI |
Any number |
Additional Fields for NetFlow v9 and IPFIX Sensors Only
Field |
Possible Filter Values |
---|---|
Interface |
Any number |
ASI |
Any number |
InboundInterface |
Any number |
OutboundInterface |
Any number |
SenderIP |
IP address of the sending device. Use this if you have several devices that send flow data on the same port, and you want to divide the traffic of each device into a different channel. Possible values: IP address or DNS name For more information, see section Valid Data Formats. |
SourceASI |
Any number |
DestinationASI |
Any number |
MAC |
Physical address |
SourceMAC |
Physical address |
DestinationMAC |
Physical address |
Mask |
Mask values represent subnet masks in the form of a single number (number of contiguous bits). |
DestinationMask |
Mask values represent subnet masks in the form of a single number (number of contiguous bits). |
NextHop |
IP address or DNS name |
VLAN |
VLAN values represent a VLAN identifier (any number). |
SourceVLAN |
VLAN values represent a VLAN identifier (any number). |
DestinationVLAN |
VLAN values represent a VLAN identifier (any number). |
Additional Fields for sFlow Sensors Only
Field |
Possible Filter Values |
---|---|
Interface |
Any number |
InboundInterface |
Any number |
OutboundInterface |
Any number |
SenderIP |
IP address of the sending device. Use this if you have several devices that send flow data on the same port, and you want to divide the traffic of each device into a different channel. Possible values: IP address or DNS name For more information, see section Valid Data Formats. |
MAC |
Physical address |
SourceMAC |
Physical address |
DestinationMAC |
Physical address |
- IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax, as well as DNS names.
IP fields do not support IPv6 wildcards, IPv6 ranges, and IPv6 hostmasks. - Number fields support range (80-88) syntax.
- Protocol and EtherType fields support numbers and a list of predefined constants.
For more information on IP address ranges, see section Define IP Address Ranges.
All of the following filter rules are valid examples:
SourceIP[10.0.0.1]
SourceIP[10.*.*.*]
SourceIP[10.0.0.0/10]
DestinationIP[10.0.0.120-130]
DestinationPort[80-88]
Protocol[UDP]
MAC[00-60-50-X0-00-01]
DSCP[46]
You can create more complex expressions by using parentheses ( ) and the words and, or, or and not. For example, these are valid filter rules:
Protocol[TCP] and DestinationIP[10.0.0.1]
This rule filters for all TCP traffic with the destination IP address 10.0.0.1.
Protocol[TCP] or DestinationIP[10.0.0.1]
This rule filters for all TCP traffic and all traffic with the destination IP address 10.0.0.1.
Protocol[TCP] and (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])
This rule filters for all TCP traffic with either the destination IP address 10.0.0.1 or the source IP address range 10.0.0.120-130.
Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])
This rule filters for all TCP traffic that does not have the destination IP address 10.0.0.1 and the source IP address range 10.0.0.120-130.
KNOWLEDGE BASE
How can I change the default groups and channels for flow and Packet Sniffer sensors?