Flow data collection

Flows provide information about network traffic and can be sent to IBM® QRadar® in various formats, including Flowlog files, NetFlow, J-Flow, sFlow, and Packeteer.

By accepting multiple flow formats simultaneously, QRadar can detect threats and activities that would otherwise be missed by relying strictly on events for information.

QRadar QFlow Collectors provide full application detection of network traffic regardless of the port on which the application is operating. For example, if the Internet Relay Chat (IRC) protocol is communicating on port 7500 (TCP), a QRadar QFlow Collector identifies the traffic as IRC and provides a packet capture of the beginning of the conversation. NetFlow and J-Flow notify you only that port 7500 (TCP) has traffic without providing any context for what protocol is being used.

Common mirror port locations include core, DMZ, server, and application switches, with NetFlow providing supplemental information from border routers and switches.

QRadar QFlow Collectors are enabled by default and require a mirror, span, or tap to be connected to an available interface on the QRadar appliance. Flow analysis automatically begins when the mirror port is connected to one of the network interfaces on the QRadar appliance. By default, QRadar monitors on the management interface for NetFlow traffic on port 2055 (UDP). You can assign extra NetFlow ports, if required.

For more information, see Network activity monitoring.