Hello knowledgebase people :-)
Having just upgraded from v6 to v9 (yes, I know), I am on a steep learning curve! However, I was hoping that my massive collection of custom packet sniffing channel defs would transfer across ok - I seem to be having some issues though.
Summary: On a custom packet sniffer sensor I have defined a number of channels, only the first of which is visible and selectable. Another custom sniffer has multiple channels and is working as expected.
My PRTG server has one NIC patched to a monitor session on our core switch, receiving all traffic from our data VLANs.
I have created a number of custom packet sniffer sensors, one of which captures traffic from the LAN to our hosted servers. This traffic goes over a VPN tunnel but that is transparent as far as the monitor session is concerned.
I want to capture both inbound and outbound traffic for various channels and so I have the following include filter and channel definitions (some values changed).
Thanks in advance.
Include filter:
( IP[10.0.a.0/24] or IP[10.0.b.0/24] or IP[10.0.c.0/24] or IP[10.0.d.0/24] )
Channel defs:
#1:InboundSQL Protocol[TCP] and SourcePort[1433] and ( SourceIP[10.0.a.0/24] or SourceIP[10.0.b.0/24] or SourceIP[10.0.c.0/24] or SourceIP[10.0.d.0/24] ) #2:OutboundSQL Protocol[TCP] and DestinationPort[1433] ( DestinationIP[10.0.a.0/24] or DestinationIP[10.0.b.0/24] or DestinationIP[10.0.c.0/24] or DestinationIP[10.0.d.0/24] ) #3:InboundWWW Protocol[TCP] and SourcePort[80] ( SourceIP[10.0.a.0/24] or SourceIP[10.0.b.0/24] or SourceIP[10.0.c.0/24] or SourceIP[10.0.d.0/24] ) #4:OutboundWWW Protocol[TCP] and DestinationPort[80] ( DestinationIP[10.0.a.0/24] or DestinationIP[10.0.b.0/24] or DestinationIP[10.0.c.0/24] or DestinationIP[10.0.d.0/24] ) #5:InboundRDP Protocol[TCP] and SourcePort[3389] ( SourceIP[10.0.a.0/24] or SourceIP[10.0.b.0/24] or SourceIP[10.0.c.0/24] or SourceIP[10.0.d.0/24] ) #6:OutboundRDP Protocol[TCP] and DestinationPort[3389] ( DestinationIP[10.0.a.0/24] or DestinationIP[10.0.b.0/24] or DestinationIP[10.0.c.0/24] or DestinationIP[10.0.d.0/24] ) #7:InboundDNS Protocol[UDP] and SourcePort[53] ( SourceIP[10.0.a.0/24] or SourceIP[10.0.b.0/24] or SourceIP[10.0.c.0/24] or SourceIP[10.0.d.0/24] ) #8:OutboundDNS Protocol[UDP] and DestinationPort[53] ( DestinationIP[10.0.a.0/24] or DestinationIP[10.0.b.0/24] or DestinationIP[10.0.c.0/24] or DestinationIP[10.0.d.0/24] )
Article Comments
Thanks for the quick response.
I additionally noticed some syntax errors in my channel defs, though these were apparently allowed as I could save the sensor.
I know that relevant traffic is flowing as I can see it using Wireshark on the same monitoring server, so I restarted the core prtg service - job done, the channels have appeared.
Are there any threads/external forums that you are aware of with discussions relating to custom channel definitions? I would love to use channels to define "services" e.g. dropbox, spotify etc. to better understand what network traffic is going on.
Thanks again Torsten.
May, 2012 - Permalink
Hello,
please bear in mind that these channels will only be "added" (i.e. shown) once PRTG detected traffic matching the according definition.
best regards.
May, 2012 - Permalink