9. General Settings » Custom Decoders

Decoders are internal functions (traffic dissectors) that identify and categorize the protocols in each packet or flow. Dozens of built-in decoders come pre-installed. If you don’t require custom decoders, you can safely skip this section.

CUSTOM_DECODERS8.01_png

To manage user-defined decoders, go to Configuration » General Settings » Custom Decoders. Each custom decoder is defined by the following parameters:

Decoder Name – A short name to help you identify the decoder. This field is mandatory
Decoder Color – The color used in graphs for the decoder. The default is a random one, which can be changed by clicking the drop-down menu
Decoder Description – An optional short description of the decoder
Flow Syntax – This syntax is used by Flow Sensor and Flow Filter. Click the star icon to see the correct syntax. Examples:
• To match TCP flows having only the SYN flag set, enter flags S and not flags AFRPU
• To match flows with the MPLS label0 set to 2, enter mpls label0=2
• To match memcached packets, enter proto 17 and port 11211
Flowspec Syntax – Enter a Flowspec expression if you intend to use BGP Flowspec for traffic redirection or DDoS mitigation. Click the star icon to open a window that shows you the correct syntax. Example:
• To match memcached packets, enter port 11211; protocol 17;
BFP Syntax – This syntax is used by Packet Sensor and Packet Filter when the Capture Engine parameter is not set to DPDK. Click the star icon to see details about the correct syntax. Examples:
• To match TCP packets with the SYN flag set, enter tcp[tcpflags] & tcp-syn!=0
• To match UDP packets with the destination port under 1024, enter proto 17 and dst portrange 1-1023
• To match memcached packets, enter proto 17 and port 11211
ACL Syntax for IPv4/IPv6 – This syntax is used by Packet Sensor and Packet Filter when the Capture Engine parameter is set to DPDK. Click the star icon to see a few examples and the correct syntax
Included Decoders – Select the decoders that include the matched traffic, or choose IP if not sure. This parameter is used when stacking decoders in IP graphs, and by the Ignore Duplicates feature from Anomaly Detection
Conflicting Decoders – Select the decoders that might match the same traffic, but not always. The option is used only for displaying stacked decoders inside IP graphs
Filter Engine – If you intend to use Wanguard Filter, select the most specific Filter Engine that could analyze the traffic. Otherwise, select Disabled
Netfilter Expression – Enter Netfilter/iptables argument(s) that match the same traffic also matched by the decoder to prevent irrelevant packets from passing the Netfilter firewall

Note

To generate IP Graphs, Tops and Accounting data for a custom decoder, enable it in Configuration » General Settings » Graphs & Storage. To use the decoder for thresholds, enable it in Configuration » General Settings » Anomaly Detection.

9.1. Built-in Decoders

IP

Matches all IP packets, regardless of higher-layer protocols. Always enabled.

TCP

Matches TCP traffic

TCP+SYN

Matches TCP traffic with the SYN flag set and ACK unset. Flow Sensor counts one packet per flow

UDP

Matches UDP traffic

ICMP

Matches ICMP traffic

OTHER

Matches IP protocols other than TCP, UDP, and ICMP

INVALID

Matches TCP or UDP port 0, or IP protocol 0

FLOWS

Matches flow records and replaces packets/s with flows/s. Works only with Flow Sensor

FLOW+SYN

Matches flow records with the SYN flag set. Flow Sensor counts all packets per flow

FRAGMENT

Matches fragmented IP packets. Works only with Packet Sensor

TCP-NULL

Matches TCP traffic without TCP flags (indicative of reconnaissance sweeps)

TCP+RST

Matches TCP traffic with the RST flag set

TCP+ACK

Matches TCP traffic with the SYN flag unset and ACK set

TCP+SYNACK

Matches TCP traffic with both SYN and ACK flag set

NETBIOS

Matches TCP traffic on source or destination port 139

QUIC

Matches Google’s QUIC protocol on UDP ports 80 and 443

UDP-QUIC

Matches UDP traffic that is not part of the QUIC protocol

MEMCACHED

Matches UDP traffic on port 11211

HTTP

Matches TCP traffic on source or destination port 80

HTTPS

Matches TCP traffic on source or destination port 443

MAIL

Matches TCP traffic on source or destination ports 25, 110, 143, 465, 585, 587, 993, 995

DNS

Matches UDP traffic on source or destination port 53

SIP

Matches TCP or UDP traffic on source or destination port 5060

IPSEC

Matches IP traffic on IP protocols 50 or 51

WWW

Matches TCP traffic on source or destination ports 80 or 443

SSH

Matches TCP traffic on source or destination port 22

NTP

Matches UDP traffic on source or destination port 123

SNMP

Matches UDP traffic on source or destination ports 161 or 163

RDP

Matches TCP or UDP traffic on source or destination port 3389

YOUTUBE

Matches IP traffic to or from YouTube AS 43515, 36561, or YouTube subnets

NETFLIX

Matches IP traffic to or from Netflix AS 55095, 40027, 2906, or Netflix subnets

HULU

Matches IP traffic to or from Hulu AS 23286 or Hulu subnets

FACEBOOK

Matches IP traffic to or from Facebook AS 54115, 32934, or Facebook subnets