Q. How does InterMapper Flows determine when a host is acting as a "client" and when it is acting as a "server" in transmitting data?
A. "Client" means the number of bytes transmitted when this system was acting as a client (for example, sending a request to another server). "Server" means the number of bytes transmitted when this address was acting as a server (for instance, when responding to a request from a client).
This means that the "Client" and "Server" columns together equal the number of bytes sent by a host. It can help you quickly spot which systems are making lots of requests (acting mostly as clients), and which systems are receiving a lot of them (acting mostly as servers).
InterMapper Flows uses a heuristic - the port number values for sender/receiver - to determine whether data is sent as a client or as a server. In general, server port numbers are lower than client port numbers. For example, the web server is at port 80, and the client end of the connection generally uses a port greater than 10,000. Therefore, a device that's sending lots of data from port 80 would most likely be sending it to high numbered ports (> 10,000). InterMapper Flows would consequently judge that device to be a server.
Additionally, for higher numbered ports, such as 8184, or even ports such as 1434, InterMapper Flows has a hard-coded list of known service ports, which will be seen as a "server" when the client port is actually lower, but not in the list of commonly recognized port numbers.
Finally, InterMapper Flows also pays attention to who sent the first packet, if that information is available.