Flow Direction Swapping Explained

A flow is a set of traffic packets sharing the same tuple (IP src, IP dst, port src, port dst, protocol, VLAN, …). When a flow is observed from the beginning, the first packet is sent by the client towards the server. Unfortunately, sometimes the flow was already in place when monitoring tools (e.g. ntopng or nProbe) started, and thus there is a chance that the flow direction is wrong simply because the first observed packet was from server to client. In this case, the flow is reported as if the real server contacted the client instead of the other way round. This is called swapped flow, as its real direction is not the one observed from the wire.

In order to detect the real flow direction, ntop tools implement some heuristics that include:

  • DNS, NTP, ICMP (echo): the first flow packet is a response.
  • RDP: if the client port is 3389, the flow is swapped.
  • TCP: the SYN packet arrived after other packets (e.g. SYN|ACK). This is likely a packet out-of-order.
  • TCP: the client port is less than the server port. This is not necessarily true, but it is true for known services as HTTP, HTTPS, SSH, telnet.

The above techniques work better with packet-based interfaces as through nDPI it’s possible to go deep into the packet payload. With flow-based interfaces (e.g. when NetFlow/IPFIX flows are collected), only port-based heuristics can be used.

By default, ntopng implements flow swap heuristics. However, in some cases (e.g. during forensics traffic analysis), swapping cannot be a good idea as often hackers use non-standard ports (e.g., use HTTP requests using 80 as client port) to overcome security checks.

For this reason, we have introduced the ability to disable flow swapping heuristics in case this is incompatible with your traffic analysis policies. Just select Settings -> Preferences -> Cache Settings to set your cache settings policy.

Note that flow swapping is also enabled in nProbe (both in probe and flow collection mode) and it can ben disabled as follows:

--disable-flow-swapping   | By default nProbe swaps reverted flows
                          | (e.g. a flow server->client,
                          | or a flow with the first packet as a DNS response), and this
                          | behaviour can be disabled using this flag

This means that for completely disable swapping in an nProbe-ntopng pipeline, you need to disable it in both tools.

Enjoy !

Share

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe