Find a better way to pair two flows into one connection

[bitkeks]

In the analyzer, two flows from the same pair of hosts are matched with each other. Then one of the hosts is determined as the source, the other as the destination. This is currently done by looking at the size of the flows, and earlier versions used the lower port to determine which host was the destination (e.g. expecting a port like 80 to be a destination and 33251 to be the client).

python-netflow-v9-softflowd/analyzer.py

Lines 57 to 76 in 565f829

	# Assume the size that sent the most data is the source
	# TODO: this might not always be right, maybe use earlier timestamp?
	size1 = fallback(flow1, ['IN_BYTES', 'IN_OCTETS'])
	size2 = fallback(flow2, ['IN_BYTES', 'IN_OCTETS'])
	if size1 >= size2:
	src = flow1
	dest = flow2
	else:
	src = flow2
	dest = flow1
	# TODO: this next approach uses the lower port as the service identifier
	# port1 = fallback(flow1, ['L4_SRC_PORT', 'SRC_PORT'])
	# port2 = fallback(flow2, ['L4_SRC_PORT', 'SRC_PORT'])
	#
	# src = flow1
	# dest = flow2
	# if port1 > port2:
	# src = flow2
	# dest = flow1

Maybe timestamps could solve this issue, since the initiating flow must have an earlier timestamp than the responding flow. In early tests, this failed due to equal timestamps, but the research was not completed.