Identification of flows based on network ports

[MrSuicideParrot]

I was analyzing the implementation of the GetFlowForPacket function and noticed that it only uses the source and destination port to identify flows.

Is there any reason to base the identification exclusively on these ports? Why can't the destination and source IP be used as a way to complement this process?

If we have two different pairs of machines using the same pair of ports to communicate, the current implementation will see these communications as a single flow and not two independent flows.

[glaslos]

We use flow.String() which should be a string like ip:port->ip:port if I'm not mistaken https://github.com/google/gopacket/blob/master/flows.go#L178

[MrSuicideParrot]

The Flow type can be applied to the NetworkLayer and TransportLayer. When it is retrieved from the network layer it will be two IPs and in the case of the transport layer it will be network ports.

A Flow is a simple object made up of a set of two Endpoints, one source and one destination. It details the sender and receiver of the Layer of the Packet. An Endpoint is a hashable representation of a source or destination. For example, for LayerTypeIPv4, an Endpoint contains the IP address bytes for a v4 IP packet.
Gopacket - Flow documentation

As GetFlowForPacket retrieves the Flow from the transport layer, the string representation will be a string like port->port.

To test my hypothesis, I changed the GetFlowForPacket function to print the flow string.

func GetFlowForPacket(packet gopacket.Packet) (flow *Flow, isNew bool) {
	isNew = true
	if transport := packet.TransportLayer(); transport != nil {
		gpktFlow := transport.TransportFlow()
		fmt.Println("Flow: " + gpktFlow.String()) //Change
		srcEp, dstEp := gpktFlow.Endpoints()

The result can be seen in the following picture. The program prints port->port.