At first I configured the channel definition as follow:
#1:HTTP Protocol[TCP] and (SourcePort[80] or DestinationPort[80] or SourcePort[443] or DestinationPort[443]) #2:TCP Protocol[TCP] #3:UDP Protocol[UDP] #4:ICMP Protocol[ICMP]
Later, I modified it to add more channels:
#1:HTTP (Protocol[TCP] or Protocol[UDP]) and (SourcePort[80] or DestinationPort[80] or SourcePort[443] or DestinationPort[443]) #2:FTP Protocol[TCP] and (SourcePort[20-21] or DestinationPort[20-21]) #3:SFTP/SSH Protocol[TCP] and (SourcePort[22] or DestinationPort[22]) #4:SMTP Protocol[TCP] and (SourcePort[25] or DestinationPort[25] or SourcePort[587] or DestinationPort[587]or SourcePort[465] or DestinationPort[465]) #5:DNS Protocol[TCP] and (SourcePort[53] or DestinationPort[53]) #6:tFTP Protocol[UDP] and (SourcePort[69] or DestinationPort[69]) #7:POP3 Protocol[TCP] and (SourcePort[110] or DestinationPort[110]) #8:sFTP (Protocol[TCP] or Protocol[UDP]) and (SourcePort[115] or DestinationPort[115]) #9:IMAP Protocol[TCP] and (SourcePort[143] or DestinationPort[143]) #10:SNMP (Protocol[TCP] or Protocol[UDP]) and (SourcePort[161] or SourcePort[162] or DestinationPort[161] or DestinationPort[162]) #11:FTPS Protocol[TCP] and (SourcePort[989-990] or DestinationPort[989-990]) #12:IMAPS Protocol[TCP] and (SourcePort[993] or DestinationPort[993]) #13:WinSrvUpSrv (Protocol[TCP] or Protocol[UDP]) and (SourcePort[8530-8531] or DestinationPort[8530-8531]) #14:LogMeInHamachi Protocol[TCP] and (SourcePort[12975] or SourcePort[32976] or DestinationPort[12975] or DestinationPort[32976]) #15:L2TP Protocol[115] #16:EspAh Protocol[50-51] #17:GRE Protocol[47] #18:TCP Protocol[TCP] #19:UDP Protocol[UDP] #20:ICMP Protocol[ICMP]
Problem is, I got now two channels for TCP, UDP, ICMP:
1. HTTP 1,759 MByte 94 % 2. TCP 99 MByte 5 % 3. ICMP 7,574 KByte < 1 % 4. SNMP 4,192 KByte < 1 % 5. UDP 1,397 KByte < 1 % 6. ICMP 922 KByte < 1 % 7. IMAPS 459 KByte < 1 % 8. POP3 131 KByte < 1 % 9. TCP 8,256 Byte < 1 % 10. UDP 5,498 Byte < 1 % 11. WinSrvUpSrv 647 Byte < 1 % Other 0 Byte < 1 %
Seems like new channel definition was appended to first channel definition, it was not replaced.
Article Comments
Thanks Sven, I will re-create the sensor then. By the way, is there a guide describing all the commands/parameters we can use for channel definition?. Thanks again for your support.
Mar, 2018 - Permalink
Hey Oscar,
Sure thing, please refer to the following two links:
- How do the channel definitions for custom packet sniffing, flow, and IPFIX sensors work?
- PRTG MANUAL: CHANNEL DEFINITIONS FOR FLOW, IPFIX, AND PACKET SNIFFER SENSORS
Best regards,
Sven
Mar, 2018 - Permalink
Hey Oscar, thanks for your KB-Post.
As a general PRTG rule, it is not possible to delete or in some cases rename existing channels from a sensor. In this particular case, you first had #2:TCP and then switched to #18:TCP. As a result, you now got two TCP channels, but the first one is actually now using this definition:
If you decide to completely change the custom definition for this sensor type, you should re-create the sensor (You will however lose the sensor's history by doing this.
Alternatively, if you "can't lose" the collected sensor data but need to update the definition, you need preserve the original ID when changing the channels, in this case, effectively moving #2:TCP, #3:UDP and #4:ICMP all the way to the end of the definition and using new numbers for the newly created channels, for example #101, #102, #103 and so on.
Best regards,
Sven
Mar, 2018 - Permalink