PRTG Manual: Filter Rules for Flow, IPFIX, and Packet Sniffer Sensors

You can use filter rules for the Include Filter, Exclude Filter, and Channel Definition fields of packet sniffer, flow, and IPFIX sensors. The filter rules are based on the following format:

field[filter]

In this section:

Valid Fields for All Sensors

Field

Possible Filter Values

IP

IP address or Domain Name System (DNS) name

i_square_cyanFor more information, see section Valid Data Formats.

Port

Any number

SourceIP

IP address or DNS name

SourcePort

Any number

DestinationIP

IP address or DNS name

DestinationPort

Any number

Protocol

Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), Open Shortest Path First (OSPF), any number

ToS

Type of Service (ToS): any number

DSCP

Differentiated Services Code Point (DSCP): any number

Additional Fields for Packet Sniffer Sensors Only

Field

Possible Filter Values

MAC

Physical address

i_square_cyanFor more information, see section Examples.

SourceMAC

Physical address

DestinationMAC

Physical address

EtherType

IPV4, ARP, RARP, APPLE, AARP, IPV6, IPXold, IPX, any number

VlanPCP

IEEE 802.1Q VLAN Priority Code Point

VlanID

IEEE 802.1Q VLAN Identifier

TrafficClass

IPv6 Traffic Class: corresponds to TOS used with IPv4

FlowLabel

IPv6 Flow Label

Additional Fields for NetFlow v5 and jFlow v5 Sensors Only

Field

Possible Filter Values

Interface

Any number

ASI

Any number

InboundInterface

Any number

OutboundInterface

Any number

SenderIP

IP address of the sending device. Use this if you have several devices that send flow data on the same port, and you want to divide the traffic of each device into a different channel.

Possible values: IP address or DNS name

i_square_cyanFor more information, see section Valid Data Formats.

SourceASI

Any number

DestinationASI

Any number

Additional Fields for NetFlow v9 and IPFIX Sensors Only

Field

Possible Filter Values

Interface

Any number

ASI

Any number

InboundInterface

Any number

OutboundInterface

Any number

SenderIP

IP address of the sending device. Use this if you have several devices that send flow data on the same port, and you want to divide the traffic of each device into a different channel.

Possible values: IP address or DNS name

i_square_cyanFor more information, see section Valid Data Formats.

SourceASI

Any number

DestinationASI

Any number

MAC

Physical address

SourceMAC

Physical address

DestinationMAC

Physical address

Mask

Mask values represent subnet masks in the form of a single number (number of contiguous bits).

DestinationMask

Mask values represent subnet masks in the form of a single number (number of contiguous bits).

NextHop

IP address or DNS name

VLAN

VLAN values represent a VLAN identifier (any number).

SourceVLAN

VLAN values represent a VLAN identifier (any number).

DestinationVLAN

VLAN values represent a VLAN identifier (any number).

Additional Fields for sFlow Sensors Only

Field

Possible Filter Values

Interface

Any number

InboundInterface

Any number

OutboundInterface

Any number

SenderIP

IP address of the sending device. Use this if you have several devices that send flow data on the same port, and you want to divide the traffic of each device into a different channel.

Possible values: IP address or DNS name

i_square_cyanFor more information, see section Valid Data Formats.

MAC

Physical address

SourceMAC

Physical address

DestinationMAC

Physical address

Valid Data Formats

  • IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax, as well as DNS names.
    i_round_redIP fields do not support IPv6 wildcards, IPv6 ranges, and IPv6 hostmasks.
  • Number fields support range (80-88) syntax.
  • Protocol and EtherType fields support numbers and a list of predefined constants.

i_square_cyanFor more information on IP address ranges, see section Define IP Address Ranges.

Examples

All of the following filter rules are valid examples:

SourceIP[10.0.0.1]
SourceIP[10.*.*.*]
SourceIP[10.0.0.0/10]
DestinationIP[10.0.0.120-130]
DestinationPort[80-88]
Protocol[UDP]
MAC[00-60-50-X0-00-01]
DSCP[46]

You can create more complex expressions by using parentheses ( ) and the words and, or, or and not. For example, these are valid filter rules:

Protocol[TCP] and DestinationIP[10.0.0.1]

This rule filters for all TCP traffic with the destination IP address 10.0.0.1.

Protocol[TCP] or DestinationIP[10.0.0.1]

This rule filters for all TCP traffic and all traffic with the destination IP address 10.0.0.1.

Protocol[TCP] and (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])

This rule filters for all TCP traffic with either the destination IP address 10.0.0.1 or the source IP address range 10.0.0.120-130.

Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])

This rule filters for all TCP traffic that does not have the destination IP address 10.0.0.1 and the source IP address range 10.0.0.120-130.

More

i_square_blueKNOWLEDGE BASE

How can I change the default groups and channels for flow and Packet Sniffer sensors?