Inbound and outbound

When traffic direction is configured and host filters are applied, it’s common to misunderstand ‘outbound’ to mean ‘flows destined for remote targets’ and ‘inbound’ to mean ‘flows destined for the filtered host’. This leads to confusion when a filtered host is itself among the hosts generating ‘outbound’ flows. How can a host be generating outbound flows to itself?

‘Inbound’ and ‘outbound’ are always with respect to the local subnets defined in the traffic direction configuration. When host filtering is applied, like on the ‘top hosts’ tab, all of the flows in which the filtered host is present are included, keeping in mind that a flow is defined by an n-tuple that includes both the source and destination. Which section flows are counted in depends on whether the source or destination is local. Given this, we expect the filtered host to be at the top of the ‘outbound’ direction.

Conversations between hosts

Go to ‘top hosts’ and click on the host that you are interested in. The all conversation between it and other hosts is at the bottom of the page. In addition, you can create a ‘match all’ filter for two ip addresses to see the conversations between them.