I would like to add my own channels to an existing Packet Sniffer or xFlow (NetFlow, sFlow) sensor. Is this possible?
Created on Mar 10, 2010 9:39:38 AM by
Last change on Mar 12, 2010 11:40:34 AM by
This article applies to PRTG Network Monitor 7.x and 8
Unfortunately, it's not possible to add custom channels to existing Packet Sniffer / xFlow sensors. But there is another solution:
You can create a new custom sensor that uses the the default channels plus your own channel definitions:
Copy the required default channels (see below) into the "Channel Definition" box. There are two sets, the "Group" and the "Detail" definitions.
Group definitions:
#3001:WWW (Protocol[TCP] and ( SourcePort[80] or DestinationPort[80] or SourcePort[8080] or DestinationPort[8080])) OR (Protocol[TCP] and (SourcePort[443] or DestinationPort[443])) #3002:FTP/P2P (Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21])) #3003:Mail ((Protocol[TCP] or Protocol[UDP]) and ( DestinationPort[143] or SourcePort[143] or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993] )) OR (Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995])) OR (Protocol[TCP] and (SourcePort[25] or DestinationPort[25])) #3004:Chat (Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667])) OR (Protocol[TCP] and (SourcePort[5190] or DestinationPort[5190])) #3005:Remote Control (Protocol[TCP] and (SourcePort[3389] or DestinationPort[3389])) OR (Protocol[TCP] and (SourcePort[22] or DestinationPort[22])) OR (Protocol[TCP] and (SourcePort[23] or DestinationPort[23])) OR (Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900])) #3007:Infrastructure (Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68]) )) OR ((Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53])) OR (Protocol[TCP] and (SourcePort[113] or DestinationPort[113])) OR (Protocol[ICMP]) OR (Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162])) #3008:NetBIOS ((Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139] OR SourcePort[137-139])) #3009:Various (Protocol[UDP]) OR (Protocol[TCP])
Detail definitions:
#1001:HTTP Protocol[TCP] and ( SourcePort[80] or DestinationPort[80] or SourcePort[8080] or DestinationPort[8080]) #1023:HTTPS Protocol[TCP] and (SourcePort[443] or DestinationPort[443]) #1024:FTP (Control) Protocol[TCP] and (DestinationPort[20-21] OR SourcePort[20-21]) #1006:IMAP (Protocol[TCP] or Protocol[UDP]) and ( DestinationPort[143] or SourcePort[143] or DestinationPort[220] or SourcePort[220] or DestinationPort[993] or SourcePort[993] ) #1008:POP3 Protocol[TCP] and (SourcePort[110] or DestinationPort[110] or SourcePort[995] or DestinationPort[995]) #1011:SMTP Protocol[TCP] and (SourcePort[25] or DestinationPort[25]) #1007:IRC Protocol[TCP] and (SourcePort[6667] or DestinationPort[6667]) #1025:AIM Protocol[TCP] and (SourcePort[5190] or DestinationPort[5190]) #1009:RDP Protocol[TCP] and (SourcePort[3389] or DestinationPort[3389]) #1014:SSH Protocol[TCP] and (SourcePort[22] or DestinationPort[22]) #1016:Telnet Protocol[TCP] and (SourcePort[23] or DestinationPort[23]) #1017:VNC Protocol[TCP] and (SourcePort[5800] or DestinationPort[5800] or SourcePort[5900] or DestinationPort[5900]) #1003:DHCP Protocol[UDP] and ((SourcePort[68] and DestinationPort[67]) or (SourcePort[67] and DestinationPort[68]) ) #1004:DNS (Protocol[TCP] or Protocol[UDP]) and (SourcePort[53] or DestinationPort[53]) #1005:Ident Protocol[TCP] and (SourcePort[113] or DestinationPort[113]) #1018:ICMP Protocol[ICMP] #1012:SNMP Protocol[TCP] and (SourcePort[161-162] or DestinationPort[161-162]) #3008:NetBIOS ((Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139] OR SourcePort[137-139])) #1021:OtherUDP Protocol[UDP] #1022:OtherTCP Protocol[TCP]
Add your own channels to the default definitions in the "Channel Definition" box.
Click on "Continue" to create the sensor and test it.
How do the channel definitions for custom Packet Sniffing or xFlow (NetFlow/sFlow) sensors work?
Created on Mar 10, 2010 9:52:52 AM by
Last change on Nov 2, 2010 4:23:28 PM by
Thanks for posting this. If I am reading this right....in case you get 'new' traffic (as in unauthorized application such as file-sharing) PRTG will not map it but just tag it as 'various'. How would you setup a trigger to warn you about it if you can not really investigate what channels the various traffic refers to?The fact that my 'various' or 'other' traffic has increased....don't think so.
Seems like netflow is really underused here or that there needs to be a larger list of port mapping. IMHO all known ports should be in there by default and if nothing is detected then nothing is logged. 4-5 channels is just not enough of traffic info for a router. So, if I may, suggestion to make a script allowing us to check/select ports we want mapped out and generate definitions as seen above. Thanks!
Created on Oct 1, 2010 6:19:53 PM by
The idea is to define all used ports of the specific system you know (using the custom channels), so a increase in various or other is supicious and should be analyzed.
Defining anything "known" as predefined channels is not simple and can be misleading if ports are used for something else by malicous software.
Created on Oct 5, 2010 12:13:23 PM by
I have tried adding new channel definitions to a custom packet sniffer. It seems to allow it but I do not get any new channels under the channel tab, hence any matches I might get are not shown in a color on the graph, and I do not get a color key for the new definition. What am I doing wrong?
Created on Nov 20, 2010 1:28:30 AM by
I wrote previuosly that I could not get the above to work. However it does seem to be working now. But it takes absolutely ages for any new channels to take affect. Is there any way of speeding this up? I have tried pausing and resuming without success.
Created on Nov 20, 2010 5:57:54 PM by
Please log in or register to enter your reply.
Add comment