IBM Security QRadar

Under network activity we have source payload , destination payload below information section and then the actual source and destination payload field. How are we suppose to understand this?

sometimes i see payload has a byte value, some times its 0. What does it mean by source payload having a value and destination having zero or other way around. Does it mean that packet has not been forwarded or something ?

Source Payload	1 packets,   48 bytes	Destination Payload	0 packets,   0 bytes

------------------------------
s@nthakumar
------------------------------

Hi,

The source and destination payload fields, as I know, depicts the sending and receiving bytes in a flow. So for example, If you see a flow record from source IP s.s.s.s to a destination ip d.d.d.d with source bytes s bytes and destination bytes as 0(zero), it means that IP s.s.s.s tried to connect to d.d.d.d and sent s bytes but d.d.d.d did not return anything. This can be few things. Either the destination is not configured to send something or connection was not allowed by something after the tapped device (have to check this one).

------------------------------
Chinmay Kulkarni
------------------------------

Original Message:
Sent: Mon September 30, 2019 10:47 PM
From: s 3k
Subject: how to understand flow packets

Under network activity we have source payload , destination payload below information section and then the actual source and destination payload field. How are we suppose to understand this?

sometimes i see payload has a byte value, some times its 0. What does it mean by source payload having a value and destination having zero or other way around. Does it mean that packet has not been forwarded or something ?

Source Payload	1 packets,   48 bytes	Destination Payload	0 packets,   0 bytes

actual payload field.

------------------------------
s@nthakumar
------------------------------

Hi,

I would also consider asymmetric routing as a reason for seeing only half of the communication... a more thorough investigation is required as there can be many reasons behind such behavior.

My2cs :-D

------------------------------
Jean-Luc Labbe
Cognitive Security Intelligence, Europe
IBM Security
------------------------------

Original Message:
Sent: Fri October 25, 2019 08:14 AM
From: Chinmay Kulkarni
Subject: how to understand flow packets

Hi,

The source and destination payload fields, as I know, depicts the sending and receiving bytes in a flow. So for example, If you see a flow record from source IP s.s.s.s to a destination ip d.d.d.d with source bytes s bytes and destination bytes as 0(zero), it means that IP s.s.s.s tried to connect to d.d.d.d and sent s bytes but d.d.d.d did not return anything. This can be few things. Either the destination is not configured to send something or connection was not allowed by something after the tapped device (have to check this one).

------------------------------
Chinmay Kulkarni

Original Message:
Sent: Mon September 30, 2019 10:47 PM
From: s 3k
Subject: how to understand flow packets

Under network activity we have source payload , destination payload below information section and then the actual source and destination payload field. How are we suppose to understand this?

sometimes i see payload has a byte value, some times its 0. What does it mean by source payload having a value and destination having zero or other way around. Does it mean that packet has not been forwarded or something ?

Source Payload	1 packets,   48 bytes	Destination Payload	0 packets,   0 bytes

actual payload field.

------------------------------
s@nthakumar
------------------------------

S-->D
I think flow traffic is one way right . let me explain this way though I am not sure my understanding is correct.
When source S sends a packet to destination D lets say an 1MB file transiting a router, the router will create a flow and forwards it to Qradar. In this flow are we supposed to see source payload in this case with corresponding Bytes and zero destination payload?

D-->S
And for the above traffic's return it will be just an ACK from destination D (the new source).
In this second leg are we supposed to see a new flow with source of a small payload just enough bytes to carry the ACK an destination with zero Bytes ?



Regards,
S@ntha

------------------------------
s 3k
------------------------------

Original Message:
Sent: Tue October 29, 2019 07:18 AM
From: Jean-Luc Labbe
Subject: how to understand flow packets

Hi,

I would also consider asymmetric routing as a reason for seeing only half of the communication... a more thorough investigation is required as there can be many reasons behind such behavior.

My2cs :-D

------------------------------
Jean-Luc Labbe
Cognitive Security Intelligence, Europe
IBM Security

Original Message:
Sent: Fri October 25, 2019 08:14 AM
From: Chinmay Kulkarni
Subject: how to understand flow packets

Hi,

The source and destination payload fields, as I know, depicts the sending and receiving bytes in a flow. So for example, If you see a flow record from source IP s.s.s.s to a destination ip d.d.d.d with source bytes s bytes and destination bytes as 0(zero), it means that IP s.s.s.s tried to connect to d.d.d.d and sent s bytes but d.d.d.d did not return anything. This can be few things. Either the destination is not configured to send something or connection was not allowed by something after the tapped device (have to check this one).

------------------------------
Chinmay Kulkarni

Original Message:
Sent: Mon September 30, 2019 10:47 PM
From: s 3k
Subject: how to understand flow packets

Under network activity we have source payload , destination payload below information section and then the actual source and destination payload field. How are we suppose to understand this?

sometimes i see payload has a byte value, some times its 0. What does it mean by source payload having a value and destination having zero or other way around. Does it mean that packet has not been forwarded or something ?

Source Payload	1 packets,   48 bytes	Destination Payload	0 packets,   0 bytes

actual payload field.

------------------------------
s@nthakumar
------------------------------

Flow records are one way, but QRadar reconstructs flow sessions from flow records. What you are looking at in QRadar are flow sessions. To help you better understand my point and reason on your questions, please review the "successful communication" BB definition in QRadar... Hope this helps.

------------------------------
Jean-Luc Labbe
Cognitive Security Intelligence, Europe
IBM Security
------------------------------

Original Message:
Sent: Tue October 29, 2019 08:43 AM
From: s 3k
Subject: how to understand flow packets

S-->D
I think flow traffic is one way right . let me explain this way though I am not sure my understanding is correct.
When source S sends a packet to destination D lets say an 1MB file transiting a router, the router will create a flow and forwards it to Qradar. In this flow are we supposed to see source payload in this case with corresponding Bytes and zero destination payload?

D-->S
And for the above traffic's return it will be just an ACK from destination D (the new source).
In this second leg are we supposed to see a new flow with source of a small payload just enough bytes to carry the ACK an destination with zero Bytes ?



Regards,
S@ntha

------------------------------
s 3k

Original Message:
Sent: Tue October 29, 2019 07:18 AM
From: Jean-Luc Labbe
Subject: how to understand flow packets

Hi,

I would also consider asymmetric routing as a reason for seeing only half of the communication... a more thorough investigation is required as there can be many reasons behind such behavior.

My2cs :-D

------------------------------
Jean-Luc Labbe
Cognitive Security Intelligence, Europe
IBM Security

Original Message:
Sent: Fri October 25, 2019 08:14 AM
From: Chinmay Kulkarni
Subject: how to understand flow packets

Hi,

The source and destination payload fields, as I know, depicts the sending and receiving bytes in a flow. So for example, If you see a flow record from source IP s.s.s.s to a destination ip d.d.d.d with source bytes s bytes and destination bytes as 0(zero), it means that IP s.s.s.s tried to connect to d.d.d.d and sent s bytes but d.d.d.d did not return anything. This can be few things. Either the destination is not configured to send something or connection was not allowed by something after the tapped device (have to check this one).

------------------------------
Chinmay Kulkarni

Original Message:
Sent: Mon September 30, 2019 10:47 PM
From: s 3k
Subject: how to understand flow packets

Under network activity we have source payload , destination payload below information section and then the actual source and destination payload field. How are we suppose to understand this?

sometimes i see payload has a byte value, some times its 0. What does it mean by source payload having a value and destination having zero or other way around. Does it mean that packet has not been forwarded or something ?

Source Payload	1 packets,   48 bytes	Destination Payload	0 packets,   0 bytes

actual payload field.

------------------------------
s@nthakumar
------------------------------