-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Identification of flows based on network ports #53
Comments
We use |
The Flow type can be applied to the NetworkLayer and TransportLayer. When it is retrieved from the network layer it will be two IPs and in the case of the transport layer it will be network ports.
As GetFlowForPacket retrieves the Flow from the transport layer, the string representation will be a string like To test my hypothesis, I changed the GetFlowForPacket function to print the flow string. func GetFlowForPacket(packet gopacket.Packet) (flow *Flow, isNew bool) {
isNew = true
if transport := packet.TransportLayer(); transport != nil {
gpktFlow := transport.TransportFlow()
fmt.Println("Flow: " + gpktFlow.String()) //Change
srcEp, dstEp := gpktFlow.Endpoints() The result can be seen in the following picture. The program prints |
I was analyzing the implementation of the GetFlowForPacket function and noticed that it only uses the source and destination port to identify flows.
Is there any reason to base the identification exclusively on these ports? Why can't the destination and source IP be used as a way to complement this process?
If we have two different pairs of machines using the same pair of ports to communicate, the current implementation will see these communications as a single flow and not two independent flows.
The text was updated successfully, but these errors were encountered: