Flow sources
IBM® QRadar® can receive flows from many different types of flow sources. The flow sources are classified as either internal or external.
New in 7.5.0 Update Package 7 Use the
/api/config/flow_sources/flow_source_management/ API to view information about the
flow sources in your environment, such as the configuration parameters that are configured for the
flow source and whichQRadar Network Insights
hosts target it. The API is read-only and you cannot use it to change the flow source information.
Internal flow sources
Internal flow sources collect raw packets from either a network tap device or a span or mirror port that is connected to a Napatech or network interface card. These sources provide raw packet data as it appears on the network, and sends it to a monitoring port on a QRadar Flow Collector, which converts the packet data into flow records.
Internal flow sources can be multithreaded. QRadar does not keep the entire packet payload. Instead, it captures only some of the packets from the beginning of the communication. This snapshot is referred to as the payload or content capture.
External flow sources
QRadar also supports external flow sources, such as routers that send common network monitoring protocols, such as NetFlow, IPFIX, sFlow J-Flow, and Packeteer data.
These external flow sources can provide a different level of visibility than internal flow sources. For example, NetFlow records can provide both the router interface that the packets crossed, as well as the ASN record numbers of the originating network. When using IPFIX, additional fields that are not parsed into normalized fields can be placed into the payload as name value pairs, which can then be used as custom properties.
External sources do not require as much CPU utilization to process so you can send them directly to a Flow Processor. In this configuration, you can have a dedicated flow collector and a flow processor, both receiving and creating flow data.
