8. General Settings » Custom Decoders

Decoders represent internal functions (traffic dissectors) that differentiate and classify the underlying protocols of each packet or flow. The predefined decoders are listed in the Graphs & Storage chapter. If you do not need to define custom decoders, you can safely skip this section.

CUSTOM_DECODERS8.01_png

To manage user-defined decoders, go to Configuration » General Settings » Custom Decoders. Each custom decoder is defined by:

Decoder Name – A short name to help you identify the decoder. This field is mandatory
Decoder Color – The color used in graphs for the decoder. The default color is a random one. It can be changed by clicking the drop-down menu
Decoder Description – An optional short description of the decoder
BFP Syntax – This syntax is used by Packet Sensor and Packet Filter when the Capture Engine parameter is not set to DPDK. Click the star icon to see details about the correct syntax. Examples:
• To match TCP packets with the SYN flag set, enter tcp[tcpflags] & tcp-syn!=0
• To match UDP packets with the destination port under 1024, enter proto 17 and dst portrange 1-1023
• To match memcached packets, enter proto 17 and port 11211
ACL IPv4/IPv6 Syntax – This syntax is used by Packet Sensor and Packet Filter when the Capture Engine parameter is set to DPDK. Click the star icon to see a few examples and the correct syntax
Flow Syntax – This syntax is used by Flow Sensor and Flow Filter. Click the star icon to see the correct syntax. Examples:
• To match TCP flows having only the SYN flag set, enter flags S and not flags AFRPU
• To match flows with the MPLS label0 set to 2, enter mpls label0=2
• To match memcached packets, enter proto 17 and port 11211
Flowspec Syntax – Enter a Flowspec expression if you intend to use BGP Flowspec for traffic redirection or DDoS mitigation. Click the star icon to open a window that shows you the correct syntax. Example:
• To match memcached packets, enter port 11211; protocol 17;
Included Decoders – Select the decoders that include the matched traffic, or choose IP if not sure. This parameter is used when stacking decoders in IP graphs
Conflicting Decoders – Select the decoders that might match the same traffic, but not always. The option is used only for displaying stacked decoders inside IP graphs

Note

To generate IP Graphs, Tops and Accounting data for a custom decoder, enable it in Configuration » General Settings » Graphs & Storage.