Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Flow Direction

The Flow Processor process analyzes each flow to determine the direction of the network communication.

In some cases, the flow traffic is bidirectional where the client communicates with the server and the server responds to the client. In this scenario, both the client and the server operate as though they are the source and the other is the destination. To address this,JSA sets the flow direction to ensure that the source and destination devices are reported consistently throughout the entire communication session. The flow data is normalized and all flows follow the same convention, where Destination always refers to the server, and Source always refers to the client.

To determine the flow direction, JSA analyzes the flow to determine whether the source and destination ports match the list of common destination ports that are defined in the JSA configuration. The flow direction is reversed when the following criteria is matched:

  • If the destination port does not match the list of common destination ports, reverse the flow direction if either of the following conditions are true:

    • The source port is a common destination port.

    • The source port is less than 1024 and the destination port is greater than 1024.

  • If the destination port does match the list of common destination ports, reverse the flow direction if both of the following conditions are true:

    • The source port is a common destination port.

    • The source port is less than 1024 and the destination port is greater than 1024.

If the flow does not match any of the flow direction criteria, JSA uses the flow arrival time to determine the flow direction.

Tip:

If you do not want JSA to determine the flow direction, set the Use Common Destination Port field to No when you configure the Flow Processor. For more information, see Configuring a Flow Processor.

Example: Flow Direction Reversed by JSA

In this flow, the source port is 80, which is a common destination port. The destination port is higher than 1024 which, according to RFC1700, excludes it as a common destination port. In this case, JSA flipped the flow direction.

On the Flow Information window, you can see the flow direction algorithm that was used to set the direction.

Flow Direction Algorithms

Flow direction algorithms are used to detect which side of the communication is more likely to be the destination device, and reverses the flow direction as required. The algorithms provide information on how the traffic originally appeared on the network, and which features of the traffic caused it to be reversed.

The following table displays the values that are used in the flow direction algorithm.

Numeric value

Algorithm

Description

1

Single common destination port (reversed)

Either the source port or the destination port was found in the list of common destination ports, and JSA reversed the flow direction.

2

Both common destination ports but one was RFC 1700 preferred (reversed)

Both the source port and the destination port are defined as common destination ports. According to RFC1700, the source port is a preferred destination port, so JSA reversed the flow direction.

The RFC1700 preferred ports are in the range of 0 to 1023, which are controlled and assigned by the Internet Assigned Number Authority (IANA).

3

Arrival time

The flow does not match the criteria for any other flow direction algorithm. JSA used the flow arrival time to determine the flow direction.

The Flow Processor process assumes that the request was received before the response, and the flow direction remains as it was received.

4

Flow exporter

The flow direction is set by an external flow exporter, such as a Packeteer device.

5

Single common destination port (unaltered)

Either the source port or the destination port was found in the list of common destination ports. JSA did not alter the flow direction.

6

Both common destination ports but one was RFC 1700 preferred (unaltered)

Both the source port and the destination port are defined as common destination ports. According to RFC1700, the destination port is a preferred destination port, so JSA did not alter the flow direction.

Displaying the Flow Direction Algorithm Field in Search Results

Use the search feature to add the flow direction algorithm to the Flow Details window. You can use the flow direction algorithm to identify the criteria that caused JSA to reverse the flow direction.

  1. To display the flow direction algorithm field on the Flow Details window, follow these steps:

    1. Click the Network Activity tab.

    2. From the Search list, select New Search.

    3. In the Column Definition section, scroll down the list of available columns and add Flow Direction Algorithm to the list of columns to display.

    4. Click Filter.

      The Flow Direction Algorithm column appears on the Network Activity tab, displaying a value that represents the algorithm that was used.

  2. To display the flow direction algorithm in an advanced search, use the LOOKUP function to show the text description for the enumerated flow direction algorithm field. For example, the AQL query might look like this:

    SELECT sourceip, destinationip, LOOKUP('flow direction algorithm', "flow direction algorithm") FROM flows

Common Destination Ports

Common destination ports are used by JSA to determine the direction of a network communication, and to ensure that the source and destination devices are reported consistently throughout the entire communication session.

Use the Common Destination Ports API to view the common destination ports that are configured in your system, and add new common destination ports.

Note:

Earlier releases of JSA used the appid_map.conf configuration file to determine the list of common destination ports.

You can use the Common Destination Port API to do the following actions:

  • Get a list of the common destination ports that are defined by default.

    config/flow/applications/common_destination_ports/default_configurations

    The default configurations are read-only. They are provided as a system backup in case the configuration is mistakenly deleted or changed.

  • Get information about the common destination ports that are active in the deployed system. This endpoint is also used to create, update, or delete active common destination ports.

    config/flow/applications/common_destination_ports/active_configurations

    When you use the API to change the common destination ports, the Flow Processor process automatically loads the configuration. You do not need to deploy the configuration to propagate the changes to the system.

For more information about using the JSA RESTful API, see RESTful API Overview.