QRadar Flow Collectors and packet-based sources

IBM QRadar captures traffic from mirror ports or taps within your network by using an IBM QRadar Flow Collector.

The QRadar Flow Collector is enabled by default, while the mirror port or tap is connected to a monitoring interface on your QRadar appliance. Common mirror port locations include core, DMZ, server, and application switches.

QRadar Flow Collector, combined with QRadar and flow processors, provides Layer 7 application visibility and flow analysis of network traffic regardless of the port on which the application is operating. For example, if the Internet Relay Chat (IRC) protocol is communicating on port 7500 (TCP), QRadar Flow Collector identifies the traffic as IRC and provides a packet capture of the beginning of the conversation. This process differs from NetFlow and J-Flow which indicate that traffic is on port 7500 (TCP) without identifying the protocol.

QRadar Flow Collectors are not full packet capture engines, but you can adjust the amount of content that is captured per flow. The default capture size is 64 bytes, and you can collect helpful data by using this setting. However, you might want to adjust this setting to 256 bytes to capture more content per flow. Increasing the capture size increases network traffic between your QRadar Flow Collector and Flow Processor, and more disk storage is needed.