Flow direction

The QFlow process analyzes each flow to determine the direction of the network communication.

In some cases, the flow traffic is bidirectional where the client communicates with the server and the server responds to the client. In this scenario, both the client and the server operate as though they are the source and the other is the destination. To address this, QRadar® sets the flow direction to ensure that the source and destination devices are reported consistently throughout the entire communication session. The flow data is normalized and all flows follow the same convention, where Destination always refers to the server, and Source always refers to the client.

To determine the flow direction, QRadar analyzes the flow to determine whether the source and destination ports match the list of common destination ports that are defined in the QRadar configuration. The flow direction is reversed when the following criteria is matched:
  • If the destination port does not match the list of common destination ports, reverse the flow direction if either of the following conditions are true:
    • The source port is a common destination port.
    • The source port is less than 1024 and the destination port is greater than 1024.
  • If the destination port does match the list of common destination ports, reverse the flow direction if both of the following conditions are true:
    • The source port is a common destination port.
    • The source port is less than 1024 and the destination port is greater than 1024.

If the flow does not match any of the flow direction criteria, QRadar uses the flow arrival time to determine the flow direction.

Tip: If you do not want QRadar to determine the flow direction, set the Use Common Destination Port field to No when you configure the Flow Collector. For more information, see Configuring a flow collector.

Example: Flow direction reversed by QRadar

In this flow, the source port is 80, which is a common destination port. The destination port is higher than 1024 which, according to RFC1700, excludes it as a common destination port. In this case, QRadar flipped the flow direction.
On the left side, the flow record shows the originating source port is 80 and the destination port is 4444. On the right side, the same flow record but the source and destination information is swapped. The direction of the flow was reversed based on the fact that port 80 is a common destination port.

On the Flow Information window, you can see the flow direction algorithm that was used to set the direction. The Flow Information window shows the flow direction algorithm, and the port that was used for both the source and destination.