Solutions

Packet Sniffing sensor

Modified on 2025-06-10 14:38:04 +0200

Hi *, I have a Packet Sniffing sensor running for monitoring traffic volumes on http port 80. Now I would like to differentiate within this based on the DNS host names. So for example something like: show me the traffic volumes for all websites that have the word "google" and "mcirosoft" in the DNS name. Is that possible? And how (assuming that it is)?

Best regards, Will Moonen

Article Comments

Hello,

I'm afraid this would only be possible with a Custom Packet Sniffer sensors, with then the hostnames (goole & microsoft) resolved into IPs.

best regards.

Nov, 2012 - Permalink

I'm using the custom version - sorry for the confusion. I would expect something in the channel definitions.

Examples of current channel definitions:

1000:BitTorrent ((Protocol[TCP] OR Protocol[UDP]) AND (SourcePort[6363] OR DestinationPort[6363] OR SourcePort[8063] OR DestinationPort[8063]))

1010:Filesharing ((Protocol[TCP] OR Protocol[UDP]) AND (DestinationPort[137-139] OR DestinationPort[445] OR SourcePort[137-139] OR SourcePort[445]))

Based on this, I would expect something like this:

1020:Microsoft SourceIP[*microsoft*] AND DestinationPort[80]

1030:Google SourceIP[*google*] AND DestinationPort[80]

Is this correct? Any suggestions?

Nov, 2012 - Permalink

Only full dns-names are supported. With dns-names, wildcards cannot be used.

Nov, 2012 - Permalink

Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.

Packet Sniffing sensor

Article Comments

Search

Attention

Related Articles