You are right that NetProfiler needs to use some smarter heuristics to determine the client-server relationship for UDP flows. The mechanisms used include:
- Checking if the flow was already recently seen and carrying over the client-server data from that
- For NetFlow v9, there is an optional "initiator" field which is also checked with UDP flows
- Apply any existing Layer-4 application mappings
- Check each of the ports to see if they are marked as "server ports"
- NetProfiler tracks if a particular IP address is "likely" to be a server IP based on historical traffic patterns
- NetProfiler also tracks if a particular port is "likely" to be a server port based on historical traffic patterns
The server determination is usually correct but you can help NetProfiler in tricky cases by:
- Enabling the initiator field in the flow export on capable devices
- Defining Layer-4 application mappings for the traffic of concern
- Marking particular ports as "server ports" (on the port names page)
Hope this helps.