Types of flow sources
IBM QRadar Flow Collector can process flows from multiple sources, which are categorized as either internal or external sources.
Internal flow sources
Sources that include packet data by connecting to a SPAN port or a network TAP are considered internal sources. These sources provide raw packet data to a monitoring port on the Flow Collector, which converts the packet details into flow records.
QRadar does not keep the entire packet payload. Instead, it captures a snapshot of the flow, referred to as the payload or content capture, which includes packets from the beginning of the communication.
Flow collection from internal sources normally requires a dedicated Flow Collector.
External flow sources
External sources do not require as much CPU utilization to process so you can send the flows directly to a Flow Processor. In this configuration, you may have a dedicated flow collector and a flow processor, both receiving and creating flow data.
If your Flow Collector collects flows from multiple sources, you can assign each flow source a distinct name. A distinct name helps to distinguish the external flow data from other sources.
- Spoofing
- Resends the inbound data that is received from a flow source to a secondary destination.
To configure the spoofing method, configure the flow source so that the Monitoring Interface is set to the management port on which the data is received.
When you use a specific interface, the Flow Collector uses a promiscuous mode capture to collect the flow data, rather than the default UDP listening port on port 2055. This way, the Flow Collector can capture and forward the data.
- Non-Spoofing
- For the non-spoofing method, configure the Monitoring Interface parameter
in the flow source configuration as Any.
The Flow Collector opens the listening port, which is the port that is configured as the Monitoring Port, to accept the flow data. The data is processed and forwarded to another flow source destination.
When the data is forwarded, the source IP address of the flow becomes the IP address of the QRadar SIEM system, not the original router that sent the data.