Can routers/servers/clients be identified in a netflow data export?

Question

I am writing a thesis concerning the identification of patterns in a network traffic. The input file contains thousands of data lines, each providing information as timestamps, source and destination IP addresses, source and destination ports, interfaces, number pf bytes and packets being exchanged between the source and the destination and protocols. The start and end-time are always the same in a data line.

My question is if there is possible to assign all IP addresses to categories such as routers/servers/clients only based on the info provided or if there are also other info necessary in order to assign all addresses correctly? (the ports used are about 100-150 and are both registered and unregistered).

Thank you!

Answer 1

Your question is very broad because it depends a lot on what categories you have in mind. For example, what's your definition of a server? Anyway, technically NetFlow does not support any kind of endpoint type qualification so you have to rely on statistics. If a certain destination IP address has a significant (absolute) amount of traffic to for example (destination) port 25 it would likely be an SMTP server. And the sender can perhaps be categorized as a client unless it also received a lot of SMTP traffic (so it would be relaying). Since NetFlow usually runs on routers (and less frequently on switches) your NetFlow origin IP address is likely a router. Large amounts of traffic to or from an IP address on a specific port will likely denominate that IP address as a server. You have to determine the boundaries for that. And - if needed - the type of server. SMTP could also run an a non-standard port (e.g. 80), less likely but you could possibly detect that by measuring the amount of ingress vs egress data. My guess would be that several standard protocols have identifiable ratios on this.