www.ibm.com
Open in
urlscan Pro
2a02:26f0:3500:583::1e89
Public Scan
URL:
https://www.ibm.com/docs/en/qsip/7.4?topic=direction-flow-algorithms
Submission: On April 14 via api from US — Scanned from DE
Submission: On April 14 via api from US — Scanned from DE
Form analysis
1 forms found in the DOMGET https://www.ibm.com/search?lnk=mhsrch
<form id="bx--masthead__search--form" action="https://www.ibm.com/search?lnk=mhsrch" method="get"><input type="hidden" name="lang" value="en"><input type="hidden" name="cc" value="us"><input type="hidden" name="lnk" value="mhsrch">
<div class="react-autosuggest__container"><input type="text" autocomplete="off" aria-autocomplete="list" aria-controls="react-autowhatever-1" class="bx--header__search--input" placeholder="Search in IBM QRadar Security Intelligence Platform 7.4"
aria-label="Search in IBM QRadar Security Intelligence Platform 7.4" role="combobox" aria-expanded="false" data-autoid="dds--header__search--input" name="q" value="">
<div id="react-autowhatever-1" role="listbox" class="react-autosuggest__suggestions-container" aria-labelledby="react-autowhatever-1"></div>
</div>
</form>
Text Content
Skip to main content Documentation Product listTable of contents IBM QRadar Security Intelligence Platform 7.4 BackIBM QRadar Security Intelligence Platform 7.4IBM QRadar Security Intelligence PlatformIBM QRadar Security Intelligence Platform 7.5IBM QRadar Security Intelligence Platform 7.4IBM QRadar Security Intelligence Platform 7.3.3IBM QRadar Security Intelligence Platform 7.3.2 BackIBM QRadar Security Intelligence Platform BackIBM QRadar Security Intelligence Platform 7.5 BackIBM QRadar Security Intelligence Platform 7.4 BackIBM QRadar Security Intelligence Platform 7.3.3 BackIBM QRadar Security Intelligence Platform 7.3.2 Documentation * Product list * Table of contents * IBM QRadar Security Intelligence Platform 7.4 IBM QRadar Security Intelligence Platform IBM QRadar Security Intelligence Platform 7.5 IBM QRadar Security Intelligence Platform 7.4 IBM QRadar Security Intelligence Platform 7.3.3 IBM QRadar Security Intelligence Platform 7.3.2 Search all of IBM Close IBM QRadar Security Intelligence Platform Change version Select 7.57.47.3.37.3.2 Show full table of contents * * Monitoring * QRadar SIEM * QRadar SIEM monitoring FAQ * What's new for QRadar users * Capabilities in your IBM QRadar product * Dashboard management * Offense management * QRadar Analyst Workflow * Log activity investigation * Network activity monitoring * Flow pipeline * Flow sources * Flow aggregation * Flow direction * Flow direction algorithms * Displaying the flow direction algorithm field * Common destination ports * Application identification * Superflows * Deduplication * Viewing flow data * VLAN fields * Configuring a flow collector * Tuning false positives * Asset Management * Chart management * Event and flow searches * Custom event and flow properties * Rules * Historical correlation * IBM X-Force integration * Report management * QRadar Master Console * QRadar Incident Forensics * QRadar Packet Capture * QRadar Network Packet Capture * QRadar Network Insights * QRadar Risk Manager * QRadar Vulnerability Manager Focus sentinel This feature is in development. Focus sentinel 1. IBM QRadar Security Intelligence Platform 2. 7.4 Change version7.57.47.3.37.3.2 FeedbackProduct list FLOW DIRECTION ALGORITHMS Last Updated: 2022-03-30 Flow direction algorithms are used to detect which side of the communication is more likely to be the destination device, and reverses the flow direction as required. The algorithms provide information on how the traffic originally appeared on the network, and which features of the traffic caused it to be reversed. The following table displays the values that are used in the flow direction algorithm. Numeric value Algorithm Description 1 Changed in 7.4.2 Single common destination port (reversed) Either the source port or the destination post was found in the list of common destination ports, and QRadar® reversed the flow direction. 2 Changed in 7.4.2 Both common destination ports but one was RFC 1700 preferred (reversed) Both the source port and the destination port are defined as common destination ports. According to RFC1700 (https://www.ietf.org/rfc/rfc1700.txt), the source port is a preferred destination port, so QRadar reversed the flow direction. The RFC1700 preferred ports are in the range of 0 to 1023, which are controlled and assigned by the Internet Assigned Number Authority (IANA). 3 Arrival time The flow does not match the criteria for any other flow direction algorithm. QRadar used the flow arrival time to determine the flow direction. The QFlow process assumes that the request was received before the response, and the flow direction remains as it was received. 4 Flow exporter The flow direction is set by an external flow exporter, such as a Packeteer device. 5 New in 7.4.2 Single common destination port (unaltered) Either the source port or the destination post was found in the list of common destination ports. QRadar did not alter the flow direction. 6 New in 7.4.2 Both common destination ports but one was RFC 1700 preferred (unaltered) Both the source port and the destination port are defined as common destination ports. According to RFC1700 (https://www.ietf.org/rfc/rfc1700.txt), the destination port is a preferred destination port, so QRadar did not alter the flow direction. 7 New in 7.4.2 QNI TCP Handshake Observed (reversed) IBM® QRadar Network Insights observed a TCP handshake and determined that the flow direction should be reversed. 8 New in 7.4.2 QNI TCP Handshake Observed (unaltered) IBM QRadar Network Insights observed a TCP handshake and determined that the flow direction should remain as it was observed. Parent topic: Arrow rightFlow direction Was this topic helpful? YesNo Focus sentinel RATE THIS CONTENT Great! Let us know what you found helpful. Comment 0/500 Tell us about your IBM Documentation experience. Email IBM Documentation support CancelSubmit Focus sentinel Focus sentinel RATE THIS CONTENT What can we do to improve the content? Comment 0/500 Tell us about your IBM Documentation experience. Email IBM Documentation support CancelSubmit Focus sentinel Focus sentinel Rate this content Thank you for your feedback! Together, we can continue to improve IBM Documentation. Return to topic Focus sentinel Focus sentinel THANK YOU FOR YOUR SUBMISSION. Submissions are limited to 1 per day per topic. Focus sentinel Focus sentinel ERROR SUBMITTING RATING There has been an error sending your feedback to the team. Your comment was saved locally, if not in an incognito browser, and will be available when attempting to submit feedback again. Please try again later. Focus sentinel © Copyright IBM Corporation 2012, 2021 * Contact IBM * Privacy * Terms of use * Accessibility * Cookie Preferences Choose a language Choose a language Arabic / عربيةBulgarian / БългарскиCatalan / CatalàCzech / ČeštinaDanish / DanskGerman / DeutschGreek / ΕλληνικάEnglishSpanish / EspañolFinnish / SuomiFrench / FrançaisCroatian / HrvatskiHungarian / MagyarItalian / ItalienHebrew / עבריתJapanese / 日本語Korean / 한국어Kazakh / ҚазақшаDutch / NederlandsNorwegian / NorskPolish / polskiPortuguese/Brazil / Português/BrasilPortuguese/Portugal / Português/PortugalRomanian / RomânăRussian / РусскийSlovak / SlovenčinaSlovenian / slovenščinaSerbian / srpskiSwedish / SvenskaThai / ภาษาไทยTurkish / TürkçeVietnamese / ViệtChinese Simplified / 简体中文Chinese Traditional / 繁體中文