www.ibm.com
Open in
urlscan Pro
2a02:26f0:3500:583::1e89
Public Scan
URL:
https://www.ibm.com/docs/en/qsip/7.4?topic=direction-flow-algorithms
Submission: On April 14 via api from US — Scanned from DE
Submission: On April 14 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://www.ibm.com/search?lnk=mhsrch
<form id="bx--masthead__search--form" action="https://www.ibm.com/search?lnk=mhsrch" method="get"><input type="hidden" name="lang" value="en"><input type="hidden" name="cc" value="us"><input type="hidden" name="lnk" value="mhsrch">
<div class="react-autosuggest__container"><input type="text" autocomplete="off" aria-autocomplete="list" aria-controls="react-autowhatever-1" class="bx--header__search--input" placeholder="Search in IBM QRadar Security Intelligence Platform 7.4"
aria-label="Search in IBM QRadar Security Intelligence Platform 7.4" role="combobox" aria-expanded="false" data-autoid="dds--header__search--input" name="q" value="">
<div id="react-autowhatever-1" role="listbox" class="react-autosuggest__suggestions-container" aria-labelledby="react-autowhatever-1"></div>
</div>
</form>Text Content
Skip to main content
Documentation
Product listTable of contents
IBM QRadar Security Intelligence Platform 7.4
BackIBM QRadar Security Intelligence Platform 7.4IBM QRadar Security
Intelligence PlatformIBM QRadar Security Intelligence Platform 7.5IBM QRadar
Security Intelligence Platform 7.4IBM QRadar Security Intelligence Platform
7.3.3IBM QRadar Security Intelligence Platform 7.3.2
BackIBM QRadar Security Intelligence Platform
BackIBM QRadar Security Intelligence Platform 7.5
BackIBM QRadar Security Intelligence Platform 7.4
BackIBM QRadar Security Intelligence Platform 7.3.3
BackIBM QRadar Security Intelligence Platform 7.3.2
Documentation
* Product list
* Table of contents
* IBM QRadar Security Intelligence Platform 7.4
IBM QRadar Security Intelligence Platform
IBM QRadar Security Intelligence Platform 7.5
IBM QRadar Security Intelligence Platform 7.4
IBM QRadar Security Intelligence Platform 7.3.3
IBM QRadar Security Intelligence Platform 7.3.2
Search all of IBM
Close
IBM QRadar Security Intelligence Platform
Change version
Select
7.57.47.3.37.3.2
Show full table of contents
* * Monitoring
* QRadar SIEM
* QRadar SIEM monitoring FAQ
* What's new for QRadar users
* Capabilities in your IBM QRadar product
* Dashboard management
* Offense management
* QRadar Analyst Workflow
* Log activity investigation
* Network activity monitoring
* Flow pipeline
* Flow sources
* Flow aggregation
* Flow direction
* Flow direction algorithms
* Displaying the flow direction algorithm field
* Common destination ports
* Application identification
* Superflows
* Deduplication
* Viewing flow data
* VLAN fields
* Configuring a flow collector
* Tuning false positives
* Asset Management
* Chart management
* Event and flow searches
* Custom event and flow properties
* Rules
* Historical correlation
* IBM X-Force integration
* Report management
* QRadar Master Console
* QRadar Incident Forensics
* QRadar Packet Capture
* QRadar Network Packet Capture
* QRadar Network Insights
* QRadar Risk Manager
* QRadar Vulnerability Manager
Focus sentinel
This feature is in development.
Focus sentinel
1. IBM QRadar Security Intelligence Platform
2. 7.4
Change version7.57.47.3.37.3.2
FeedbackProduct list
FLOW DIRECTION ALGORITHMS
Last Updated: 2022-03-30
Flow direction algorithms are used to detect which side of the communication is
more likely to be the destination device, and reverses the flow direction as
required. The algorithms provide information on how the traffic originally
appeared on the network, and which features of the traffic caused it to be
reversed.
The following table displays the values that are used in the flow direction
algorithm.
Numeric value
Algorithm
Description
1 Changed in 7.4.2
Single common destination port (reversed)
Either the source port or the destination post was found in the list of common
destination ports, and QRadar® reversed the flow direction. 2 Changed in 7.4.2
Both common destination ports but one was RFC 1700 preferred (reversed)
Both the source port and the destination port are defined as common destination
ports. According to RFC1700 (https://www.ietf.org/rfc/rfc1700.txt), the source
port is a preferred destination port, so QRadar reversed the flow direction.
The RFC1700 preferred ports are in the range of 0 to 1023, which are controlled
and assigned by the Internet Assigned Number Authority (IANA).
3 Arrival time The flow does not match the criteria for any other flow direction
algorithm. QRadar used the flow arrival time to determine the flow direction.
The QFlow process assumes that the request was received before the response, and
the flow direction remains as it was received.
4 Flow exporter The flow direction is set by an external flow exporter, such as
a Packeteer device. 5 New in 7.4.2
Single common destination port (unaltered)
Either the source port or the destination post was found in the list of common
destination ports. QRadar did not alter the flow direction. 6 New in 7.4.2
Both common destination ports but one was RFC 1700 preferred (unaltered)
Both the source port and the destination port are defined as common destination
ports. According to RFC1700 (https://www.ietf.org/rfc/rfc1700.txt), the
destination port is a preferred destination port, so QRadar did not alter the
flow direction. 7 New in 7.4.2
QNI TCP Handshake Observed (reversed)
IBM® QRadar Network Insights observed a TCP handshake and determined that the
flow direction should be reversed. 8 New in 7.4.2
QNI TCP Handshake Observed (unaltered)
IBM QRadar Network Insights observed a TCP handshake and determined that the
flow direction should remain as it was observed.
Parent topic:
Arrow rightFlow direction
Was this topic helpful?
YesNo
Focus sentinel
RATE THIS CONTENT
Great! Let us know what you found helpful.
Comment 0/500
Tell us about your IBM Documentation experience. Email IBM Documentation support
CancelSubmit
Focus sentinel
Focus sentinel
RATE THIS CONTENT
What can we do to improve the content?
Comment 0/500
Tell us about your IBM Documentation experience. Email IBM Documentation support
CancelSubmit
Focus sentinel
Focus sentinel
Rate this content
Thank you for your feedback!
Together, we can continue to improve IBM Documentation.
Return to topic
Focus sentinel
Focus sentinel
THANK YOU FOR YOUR SUBMISSION.
Submissions are limited to 1 per day per topic.
Focus sentinel
Focus sentinel
ERROR SUBMITTING RATING
There has been an error sending your feedback to the team. Your comment was
saved locally, if not in an incognito browser, and will be available when
attempting to submit feedback again.
Please try again later.
Focus sentinel
© Copyright IBM Corporation 2012, 2021
* Contact IBM
* Privacy
* Terms of use
* Accessibility
* Cookie Preferences
Choose a language
Choose a language
Arabic / عربيةBulgarian / БългарскиCatalan / CatalàCzech / ČeštinaDanish /
DanskGerman / DeutschGreek / ΕλληνικάEnglishSpanish / EspañolFinnish /
SuomiFrench / FrançaisCroatian / HrvatskiHungarian / MagyarItalian /
ItalienHebrew / עבריתJapanese / 日本語Korean / 한국어Kazakh / ҚазақшаDutch /
NederlandsNorwegian / NorskPolish / polskiPortuguese/Brazil /
Português/BrasilPortuguese/Portugal / Português/PortugalRomanian / RomânăRussian
/ РусскийSlovak / SlovenčinaSlovenian / slovenščinaSerbian / srpskiSwedish /
SvenskaThai / ภาษาไทยTurkish / TürkçeVietnamese / ViệtChinese Simplified /
简体中文Chinese Traditional / 繁體中文