Filter Rules for xFlow and Packet Sniffer Sensors
Filter rules are used for the include, exclude and channel definition fields of Custom Packet Sniffer and Custom xFlow sensors. They are based on the following format:
field[filter]
- IP
- Port
- SourceIP
- SourcePort
- DestinationIP
- DestinationPort
- Protocol
Possible Protocol values: TCP, UDP, ICMP, OSPFIGP, or any number) - ToS
Additional Fields for Packet Sniffer Sensors Only
- MAC
- SourceMAC
- DestinationMAC
- EtherType
Possible EtherType values: IPV4, ARP, RARP, APPLE, AARP,IPV6,IPXold, IPX, or any number
Additional Fields for NetFlow v5 and jFlow v5 Sensors Only
- Interface
- ASI
- InboundInterface
- OutboundInterface
- SourceASI
- DestinationASI
Additional Fields for xFlow v9 Sensors Only
- Interface
- ASI
- InboundInterface
- OutboundInterface
- SourceASI
- DestinationASI
- MAC
- SourceMAC
- DestinationMAC
- Mask
- DestinationMask
Note: "Mask" values represent subnet masks in the form of a single number (number of contiguous bits). - NextHop (IP address)
- VLAN
- SourceVLAN
- DestinationVLAN
Note: "VLAN" valuesrepresent a VLAN identifier.
Additional Fields for sFlow Sensors Only
- Interface
- InboundInterface
- OutboundInterface
- MAC
- SourceMAC
- DestinationMAC
- IP fields support wildcards (*), range (10-20) and hostmask ( /10, /255.255.0.0) syntax.
- Number fields support range (80-88) syntax.
- Protocol and EtherType fields support numbers and a list of predefined constants.
For detailed information on IP ranges, please see Define IP Ranges section.
All of the following filter rules are valid examples:
SourceIP[10.0.0.1]
SourceIP[10.*.*.*]
SourceIP[10.0.0.0/10]
DestinationIP[10.0.0.120-130]
DestinationPort[80-88]
Protocol[UDP]
Complex expressions can be created using parentheses ( ) and the words and, or, or not. For example, this is a valid filter rule:
Protocol[TCP] and not (DestinationIP[10.0.0.1] or SourceIP[10.0.0.120-130])
Keywords: Flow,Flow Filter Rules,Packet Sniffing,Packet Sniffing Filter Rules
