In the analyzer, two flows from the same pair of hosts are matched with each other. Then one of the hosts is determined as the source, the other as the destination. This is currently done by looking at the size of the flows, and earlier versions used the lower port to determine which host was the destination (e.g. expecting a port like 80 to be a destination and 33251 to be the client).
Maybe timestamps could solve this issue, since the initiating flow must have an earlier timestamp than the responding flow. In early tests, this failed due to equal timestamps, but the research was not completed.
In the analyzer, two flows from the same pair of hosts are matched with each other. Then one of the hosts is determined as the source, the other as the destination. This is currently done by looking at the size of the flows, and earlier versions used the lower port to determine which host was the destination (e.g. expecting a port like
80to be a destination and33251to be the client).https://github.com/bitkeks/python-netflow-v9-softflowd/blob/565f829945a74796e8fca766490f2a8c0dfe161d/analyzer.py#L57-L76
Maybe timestamps could solve this issue, since the initiating flow must have an earlier timestamp than the responding flow. In early tests, this failed due to equal timestamps, but the research was not completed.