Flow direction algorithms
Flow direction algorithms are used to detect which side of the communication is more likely to be the destination device, and reverses the flow direction as required. The algorithms provide information on how the traffic originally appeared on the network, and which features of the traffic caused it to be reversed.
| Numeric value | Algorithm | Description |
|---|---|---|
| 1 | Changed in
7.4.2 Single common destination port (reversed) |
Either the source port or the destination post was found in the list of common destination ports, and QRadar reversed the flow direction. |
| 2 | Changed in
7.4.2 Both common destination ports but one was RFC 1700 preferred (reversed) |
Both the source port and the destination port are defined as common destination ports.
According to RFC1700 (https://www.ietf.org/rfc/rfc1700.txt), the source port is a preferred destination
port, so QRadar reversed the
flow direction. The RFC1700 preferred ports are in the range of 0 to 1023, which are controlled and assigned by the Internet Assigned Number Authority (IANA). |
| 3 | Arrival time | The flow does not match the criteria for any other flow direction algorithm. QRadar used the flow arrival time
to determine the flow direction. The QFlow process assumes that the request was received before the response, and the flow direction remains as it was received. |
| 4 | Flow exporter | The flow direction is set by an external flow exporter, such as a Packeteer device. |
| 5 | New in
7.4.2
Single common destination port (unaltered) |
Either the source port or the destination post was found in the list of common destination ports. QRadar did not alter the flow direction. |
| 6 | New in
7.4.2
Both common destination ports but one was RFC 1700 preferred (unaltered) |
Both the source port and the destination port are defined as common destination ports. According to RFC1700 (https://www.ietf.org/rfc/rfc1700.txt), the destination port is a preferred destination port, so QRadar did not alter the flow direction. |
| 7 | New in
7.4.2 QNI TCP Handshake Observed (reversed) |
IBM QRadar Network Insights observed a TCP handshake and determined that the flow direction should be reversed. |
| 8 | New in
7.4.2
QNI TCP Handshake Observed (unaltered) |
IBM QRadar Network Insights observed a TCP handshake and determined that the flow direction should remain as it was observed. |