Question regarding bidirectional flows in eve.json

gvi · March 10, 2023, 9:04pm

Hello,

Regarding the logging of bidirectional flows in eve.json (event_type:flow) each log contains the source and destination ip address as well as byte_toclient and bytes_toserver. How can i know who is the server and the client? Is the source ip the client and the destination ip is the server?

Thanks in advance.

ish · March 10, 2023, 9:18pm

Yes, the source IP is the client and the destination IP is the server.

I guess there could be cases where this isn’t always true, such as a packet picked up mid-stream where Suricata doesn’t know who initiated the flow.

Topic		Replies	Views
Eve.json only shows "event_type":"flow" Help	7	1346	October 22, 2020
Incorrect identification of source ip and destination ip Help community	4	514	April 16, 2022
Suricata Network monitoring Help suricata	1	458	October 13, 2022
Cannot disable dns events in eve.json	1	1644	September 16, 2020
Logging different kind of logs in different EVE files Help	2	1296	June 11, 2020

Question regarding bidirectional flows in eve.json

Related Topics