9. General Settings » Custom Decoders

Decoders represent internal functions (traffic dissectors) that differentiate and classify the underlying protocols of each packet or flow. The predefined decoders are listed in the Graphs & Storage chapter. If you do not need to define custom decoders, you can safely skip this section.

CUSTOM_DECODERS8.01_png

To manage user-defined decoders, go to Configuration » General Settings » Custom Decoders. Each custom decoder is defined by:

Decoder Name – A short name to help you identify the decoder. This field is mandatory
Decoder Color – The color used in graphs for the decoder. The default color is a random one. It can be changed by clicking the drop-down menu
Decoder Description – An optional short description of the decoder
Flow Syntax – This syntax is used by Flow Sensor and Flow Filter. Click the star icon to see the correct syntax. Examples:
• To match TCP flows having only the SYN flag set, enter flags S and not flags AFRPU
• To match flows with the MPLS label0 set to 2, enter mpls label0=2
• To match memcached packets, enter proto 17 and port 11211
Flowspec Syntax – Enter a Flowspec expression if you intend to use BGP Flowspec for traffic redirection or DDoS mitigation. Click the star icon to open a window that shows you the correct syntax. Example:
• To match memcached packets, enter port 11211; protocol 17;
BFP Syntax – This syntax is used by Packet Sensor and Packet Filter when the Capture Engine parameter is not set to DPDK. Click the star icon to see details about the correct syntax. Examples:
• To match TCP packets with the SYN flag set, enter tcp[tcpflags] & tcp-syn!=0
• To match UDP packets with the destination port under 1024, enter proto 17 and dst portrange 1-1023
• To match memcached packets, enter proto 17 and port 11211
ACL Syntax for IPv4/IPv6 – This syntax is used by Packet Sensor and Packet Filter when the Capture Engine parameter is set to DPDK. Click the star icon to see a few examples and the correct syntax
Included Decoders – Select the decoders that include the matched traffic, or choose IP if not sure
Conflicting Decoders – Required if you plan to use the decoder for IP graphing. Select the decoders that might match the same traffic, but not always. The option is used only for displaying stacked decoders inside IP graphs
Filter Engine – If you intend to use Wanguard Filter, select the most specific Filter Engine that could analyze the traffic. Otherwise, select Disabled
Netfilter Expression – Enter Netfilter/iptables argument(s) that match the same traffic also matched by the decoder to prevent irrelevant packets from passing the Netfilter firewall

Note

To generate IP Graphs, Tops and Accounting data for a custom decoder, enable it in Configuration » General Settings » Graphs & Storage. To use the decoder for thresholds, enable it in Configuration » General Settings » Anomaly Detection.