2 Replies Latest reply: Jan 4, 2018 4:38 PM by Erick Munoz RSS

How NetProfler knows who is client or server ona UDP connection?

Erick Munoz

During TCP connection, is well known that client is who started the communication with a TCP SYN, but who is client o server during UDP connection if there is not SYN packets?

  • Re: How NetProfler knows who is client or server ona UDP connection?
    Chris Crampton

    Hi Erick,

     

    You are right that NetProfiler needs to use some smarter heuristics to determine the client-server relationship for UDP flows. The mechanisms used include:

     

    - Checking if the flow was already recently seen and carrying over the client-server data from that

    - For NetFlow v9, there is an optional "initiator" field which is also checked with UDP flows

    - Apply any existing Layer-4 application mappings

    - Check each of the ports to see if they are marked as "server ports"

    - NetProfiler tracks if a particular IP address is "likely" to be a server IP based on historical traffic patterns

    - NetProfiler also tracks if a particular port is "likely" to be a server port based on historical traffic patterns

     

    The server determination is usually correct but you can help NetProfiler in tricky cases by:

    - Enabling the initiator field in the flow export on capable devices

    - Defining Layer-4 application mappings for the traffic of concern

    - Marking particular ports as "server ports" (on the port names page)

     

    Hope this helps.

    Chris.