Is it important to differentiate between flows and conversations?
There are many moving parts to a successful network security strategy, everything that makes a network a network such as e-mails, web requests and file transfers is a potential ‘route in’ for a security or compliancy issue. It’s important for those managing enterprise IT Systems to know everything about them, every bit of information is pertinent to ensuring a smoothly run operation.
As experts in all things network traffic flow we are often asked lots of questions around the subject and one that keeps cropping up is how people differentiate between a ‘Flow’ and a ‘Conversation’ and why this is important. The answer is surprisingly not that simple, they are both very similar but also slightly different, and also they mean different things to different people and organisations, which is why it is hard to pin down their true definition.
In to this confusing mix you could also add ‘Session’ and ‘Connection’ again both have different meanings depending on the framework in which they are used. However, in network traffic flow terminology a ‘Conversation’ is often the same as a ‘Session’ and a ‘Connection’ is a bi-directional ‘Flow’.
Here we have put together a simple guide:
A flow is a set of IP packets that pass a network observation point during a certain time interval, from a particular source to a particular, unicast or multicast, destination as TCP, UDP or another transport protocol. Flows can vary wildly from one to the next, from NetFlow v5, v7, or v9 to one of the following flow types that conforms to the standards for NetFlow v5, v7, or v9: sFlow version 5; or IPFIX, J-Flow, cFlow, or JSON. A flow will have seven things in common; Source IP address, Destination IP address, L4 Protocol type, Source port, Destination port, ToS (Type of Service) and Input interface.
A network conversation is the traffic between two specific endpoints, essentially capturing the specific behaviour of the user such as the duration of the conversation, the inter-arrival time of packets and the amount of data exchanged. You would use flow to track multiple conversations at one time, allowing you to pick up on anomalous network events. A collection of network flows is like an index of all conversations between hosts on a network.
It is important to differentiate between the two as network flow only tracks the fact that the conversation occurred not what transpired, which is critically important to IT Professionals who need to monitor their networks effectively.
You may also like
400GBPS FlowProbe: Network Traffic Monitoring
Monitor real time traffic information and network performance whilst using anomaly detection to maintain cyber security with our ultra high performance 4x 100GbE network traffic monitor.
100GBPS CERNE: INTRUSION DETECTION
100 Gbps IDS engine and alert driven packet recorder that enables 24/7 real-time network threats monitoring and access control.
400GBPS TRITON: CYBER WARFARE SIMULATION
Prove and enhance your cyber security posture with our Cyber Warfare Simulation tool and our world class SLA and advanced on-site/ off-site support.
TDAC: Digital Forensics
Unlocks network visibility and threat identification