This article applies as of PRTG 22


What is the filter rule syntax? What flow (NetFlow/sFlow/jFlow) and IPFIX filter parameters are supported by PRTG?

Important Notice: This article is no longer kept up to date. For more up-to-date information, see the PRTG Manual: Filter Rules for Flow, IPFIX and Packet Sniffer Sensors.

Filter rules for custom Packet Sniffer, flow, or IPFIX sensors

Filter rules are used for the include filter, exclude filter, and channel definition fields of custom packet sniffer, NetFlow, sFlow, jFlow, and IPFIX sensors.

Filter rules are based on the following format:

field[filter]


Valid fields:

  • IP
  • Port
  • SourceIP
  • SourcePort
  • DestinationIP
  • DestinationPort
  • Protocol (values: TCP, UDP, ICMP, OSPFIGP, or any number)
  • ToS
  • DSCP


Additional Packet Sniffer fields:

  • MAC
  • SourceMAC
  • DestinationMAC
  • EtherType (values IPV4, ARP, RARP, APPLE, AARP, IPV6, IPXold, IPX, or any number)
  • VlanPCP
  • VlanID
  • TrafficClass
  • FlowLabel


Additional NetFlow v5/jFlow fields:

  • Interface
  • ASI
  • InboundInterface
  • OutboundInterface#
  • SenderIP
  • SourceASI
  • DestinationASI


Additional NetFlow v9 and IPFIX fields:

  • Interface
  • ASI
  • InboundInterface
  • OutboundInterface
  • SenderIP
  • SourceASI
  • DestinationASI
  • MAC
  • SourceMAC
  • DestinationMAC
  • Mask
  • DestinationMask
    • Masks represent subnet masks in the form of a single number (number of contiguous bits)
  • NextHop (IP address)
  • VLAN
  • SourceVLAN
  • DestinationVLAN
    • VLANs represent a VLAN identifier


Additional sFlow fields:

  • Interface
  • InboundInterface
  • OutboundInterface
  • SenderIP
  • MAC
  • SourceMAC
  • DestinationMAC


Data formats:

  • IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax (all IPv4 only), as well as DNS names.
  • Number fields support range (80-88) syntax.
  • Protocol and EtherType fields support numbers and a list of predefined constants.


Samples:

SourceIP[10.0.0.1]
SourceIP[10.*.*.*]
SourceIP[10.0.0.0/10]
DestinationIP[10.0.0.120-130]
DestinationPort[80-88]
Protocol[UDP]

Complex expressions can be created with parentheses and and, or, or and not:

Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])

More


Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.