A flow is a set of traffic packets sharing the same tuple (IP src, IP dst, port src, port dst, protocol, VLAN, …). When a flow is observed from the beginning, the first packet is sent by the client towards the server. Unfortunately, sometimes the flow was already in place when monitoring tools (e.g. ntopng or nProbe) started, and thus there is a chance that the flow direction is wrong simply because the first observed packet was from server to client. In this case, the flow is reported as if the real server contacted the client instead of the other way round. This is called swapped flow, as its real direction is not the one observed from the wire.
In order to detect the real flow direction, ntop tools implement some heuristics that include:
- DNS, NTP, ICMP (echo): the first flow packet is a response.
- RDP: if the client port is 3389, the flow is swapped.
- TCP: the SYN packet arrived after other packets (e.g. SYN|ACK). This is likely a packet out-of-order.
- TCP: the client port is less than the server port. This is not necessarily true, but it is true for known services as HTTP, HTTPS, SSH, telnet.
The above techniques work better with packet-based interfaces as through nDPI it’s possible to go deep into the packet payload. With flow-based interfaces (e.g. when NetFlow/IPFIX flows are collected), only port-based heuristics can be used.
By default, ntopng implements flow swap heuristics. However, in some cases (e.g. during forensics traffic analysis), swapping cannot be a good idea as often hackers use non-standard ports (e.g., use HTTP requests using 80 as client port) to overcome security checks.
For this reason, we have introduced the ability to disable flow swapping heuristics in case this is incompatible with your traffic analysis policies. Just select Settings -> Preferences -> Cache Settings to set your cache settings policy.
Enjoy !