Filters
- Last Updated: June 10, 2026
- 5 minute read
- Flowmon Products
- Flowmon
- Documentation
The configuration of monitoring ports can use multiple filter types. The standard probe appliance only supports flow export target filters, but additional modules such as Packet Investigator use their own filters. Each filter type has its own syntax and semantics. Flow export target filters are described below. For more information about the other filter types, refer to the relevant module documentation.
Flow export targets filter
Flow export targets filters control which exported flow records produced by a monitoring port are forwarded to individual configured targets.
Click New Filter to create a filter. After you enter the Name, Type, Filter, and optional Description, you can attach the filter to monitoring port targets. Usage shows how many targets use the filter, and the filter detail view lists the targets. Click the pencil icon to edit a filter or the trash bin icon to delete it. You can only delete a filter if there are no targets using it. Click Reload to refresh usage information for all filters.
Syntax
A Flow export targets filter is an ordered set of rules similar to simple firewall rules. Each rule either matches (accepts) or rejects flow records based on L2–L4 attributes (IP addresses, ports, protocols, and VLAN). The evaluation result determines whether a matching flow record is exported to the target or not.
You can define two filter types: fast filter and standard filter. The fast filter is intended for very long lists of subnets, IP addresses, or intervals (for example, abroad traffic). It processes thousands of rules efficiently. The standard filter allows more complex, granular rules but in smaller numbers. The two filter types can be combined.
You can use comments in filters. They are delimited with the hashtag (#) character and end of line. You can use the not keyword to invert the whole rule (not individual parts).
The monitoring port filter is evaluated in the same way as firewalls do. Rules of fast and standard filters are processed in descending order and they cannot overlap. The fast filter block must be first, followed by the standard filter block (both blocks are optional). If the packet passes through the fast filter it goes to the standard filter. The first matching rule stops the evaluation. A rule beginning with the not keyword is evaluated in the same manner as the firewall rule REJECT; rules without not are evaluated as the rule ACCEPT. If there is no matching rule for a packet, it is not processed. In the firewall logic, a default rule (REJECT ALL) is applied at the end of the list. This behavior can be changed by adding the keyword any on the end of the standard filter (this cannot be used for the fast filter). If this keyword is present, all packets that do not match any rule will be processed. In the firewall logic, a default rule (ACCEPT ALL) is applied at the end of the list. The result of the whole filter is evaluated as a result of logical AND of fast filter and standard filter results. If the filter is empty or no filter is given to the monitoring port, then no filtering is done and the monitoring port process all packets.
If you want to apply negative logic to a fast filter, you can apply it globally on the whole filter by declaring "global fast not".
Filter syntax
| Filter type | Syntax |
|---|---|
| Fast | fast [src|dst] addr <ip>/<mask> | <ip_start>-<ip_end> | <ip> |
| Standard | [not] [ipproto ipv4|ipv6] [[src|dst] addr <ip>/<mask>|<ip_start>-<ip_end>|<ip>] [proto tcp|udp|icmp|<number>] [[src|dst] port <num>|<start>-<end>] [vlan <number>|<start-end>] |
Standard filter rule elements
| Rule | Syntax |
|---|---|
| IP address filter | [src|dst] addr <ip>/<mask> | <start>-<end> | <ip> |
| Port filter | [src|dst] port <num> | <start>-<end> |
| VLAN filter | vlan <number> | <start-end> |
| L4 protocol filter | proto tcp|udp|icmp|<number> |
| L3 protocol filter | ipproto ipv4 | ipv6 |
Standard filter examples
# Various examples
src addr 192.168.1.1-192.168.1.255 proto tcp dst port 80
addr 192.168.2.0/24 proto udp port 1-1024
dst addr 192.168.3.1
not port 80
not dst addr 192.168.3.1 dst port 80 proto icmp
src addr 2001:718::/32 dst port 42
addr 0.0.0.0/0 ipproto ipv4
addr 147.251.0.0/16
dst addr 192.168.0.0-192.168.3.42
not ipproto ipv4
src addr 192.168.3.100-192.168.3.110 proto tcp vlan 64
# Blocks packets from 192.168.3.0/24 net to 192.168.6.0/24 net
not src addr 192.168.3.0/24 dst addr 192.168.6.0/24
# Process packets from IP 1.2.3.4 except port 80
not addr 1.2.3.4 port 80
addr 1.2.3.4
# Exclude internal communication (for subnet 172.16.0.0/12) and allow communication with the internet for a specific subnet (172.16.1.0/24)
not src addr 172.16.0.0/12 dst addr 172.16.0.0/12
addr 172.16.1.0/24
Fast filter examples
# Allow all from networks below
fast addr 192.168.3.0/24
fast addr 192.168.255.0/24
fast addr 192.168.253.0/24
fast addr 192.168.251.0/24
fast addr 192.168.249.0/24
fast addr 192.168.247.0/24
fast addr 192.168.245.0/24
fast addr 192.168.243.0/24
fast addr 192.168.241.0/24
fast addr 192.168.239.0/24
fast addr 192.168.237.0/24
fast addr 192.168.235.0/24
fast addr 192.168.233.0/24
# And process all packets except HTTP
not proto tcp port 80
any
Negative filter example
# Allow all traffic except networks below
global fast not
fast addr 192.168.3.0/24
fast addr 192.168.4.0/24
IDS Probe filters
IDS Probe filters allow you to specify which traffic is processed by the IDS Probe module. You can filter traffic based on IP addresses, networks, and VLANs. Each rule must be on a separate line. If more rules are provided, the logical conjunction or is inserted between rules (at least one rule must be satisfied to pass the packet for processing).
Syntax
You can use the following keywords in IDS Probe filters:
ip <ip>— Matches a specific IP address.net <ip>/<mask>— Matches an IP network in CIDR notation.vlan <number>— Matches a specific VLAN.vlan <start-end>— Matches a range of VLANs.
You can combine multiple filter lines to define more complex filtering rules.
The ip keyword specifies the source or destination IP address that should be present in the packet header. For example, if you have ip 1.1.1.1, only flows with 1.1.1.1 as a source or destination IP address are processed. It supports both IPv4 and IPv6 addresses.
The net keyword allows you to specify the entire address range. The value of this filter should be a valid IPv4 or IPv6 address range in the CIDR notation. As in the previous case, the IP range is applied to both - source or destination IP address.
You can use the vlan keyword to specify the source or destination VLAN ID (or range of IDs) that should be present in the packet header. The value of this filter should be a positive number in the range 0-4095. If the range notation is used, the start must be lower than the end. The VLAN filter is applied to the outer VLAN tag when there are multiple VLAN tags.
Examples
# Match a single IP address
ip 192.168.1.10
# Match a network
net 10.0.0.0/8
# Match a specific VLAN
vlan 100
# Match a range of VLANs
vlan 200-210
# Combine filters to match multiple criteria
ip 192.168.1.10
net 172.16.0.0/12
vlan 300-305