PRTG 9 Manual: Filter Rules for xFlow and Packet Sniffer Sensors
Filter rules are used for the include, exclude and channel definition fields of Custom Packet Sniffer and Custom xFlow sensors. They are based on the following format:
field[filter]
Valid Fields for All Sensors
- IP
Possible values: IP address or DNS name (see Valid Data Formats below) - Port
- SourceIP
Possible values: IP address or DNS name (see Valid Data Formats below) - SourcePort
- DestinationIP
Possible values: IP address or DNS name (see Valid Data Formats below) - DestinationPort
- Protocol
Possible Protocol values: TCP , UDP , ICMP , OSPFIGP , or any number) - ToS
Additional Fields for Packet Sniffer Sensors Only
- MAC
- SourceMAC
- DestinationMAC
- EtherType
Possible EtherType values: IPV4 , ARP , RARP , APPLE , AARP , IPV6 , IPXold , IPX , or any number - VlanPCP
IEEE 802.1Q VLAN Priority Code Point - VlanID
IEEE 802.1Q VLAN Identifier - TrafficClass
IPv6 Traffic Class (corresponds to TOS used with IPv4) - FlowLabel
IPv6 Flow Label
Additional Fields for NetFlow v5 and jFlow v5 Sensors Only
- Interface
- ASI
- InboundInterface
- OutboundInterface
- SenderIP
IP of the sending device. This is helpful if several devices send flow data on the same port, and you want to divide the traffic of each device into a different sensor channel. Possible values: IP address or DNS name (see Valid Data Formats below)
- SourceASI
- DestinationASI
Additional Fields for xFlow v9 Sensors Only
- Interface
- ASI
- InboundInterface
- OutboundInterface
- SenderIP
IP of the sending device. This is helpful if several devices send flow data on the same port, and you want to divide the traffic of each device into a different sensor channel. Possible values: IP address or DNS name (see Valid Data Formats below)
- SourceASI
- DestinationASI
- MAC
- SourceMAC
- DestinationMAC
- Mask
- DestinationMask
Note: "Mask" values represent subnet masks in the form of a single number (number of contiguous bits). - NextHop (IP address)
Possible values: IP address or DNS name (see Valid Data Formats below) - VLAN
- SourceVLAN
- DestinationVLAN
Note: "VLAN" valuesrepresent a VLAN identifier.
Additional Fields for sFlow Sensors Only
- Interface
- InboundInterface
- OutboundInterface
- SenderIP
IP of the sending device. This is helpful if several devices send flow data on the same port, and you want to divide the traffic of each device into a different sensor channel. Possible values: IP address or DNS name (see Valid Data Formats below)
- MAC
- SourceMAC
- DestinationMAC
Valid Data Formats
- IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax, as well as DNS names.
- Number fields support range (80-88) syntax.
- Protocol and EtherType fields support numbers and a list of predefined constants.
For detailed information on IP ranges, please see Define IP Ranges section.
Examples
All of the following filter rules are valid examples:
SourceIP[10.0.0.1]
SourceIP[10.*.*.*]
SourceIP[10.0.0.0/10]
DestinationIP[10.0.0.120-130]
DestinationPort[80-88]
Protocol[UDP]
Complex expressions can be created using parentheses ( ) and the words and , or , or not . For example, this is a valid filter rule:
Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])