The 5-Tuple Approach

Uniquely Identifying Network Sessions for Traffic Analysis

Section 1 of 4 0% Complete

What is the 5-Tuple?

In network traffic analysis, the 5-tuple is a set of five values that uniquely identifies a bidirectional network flow or session. Every packet traveling across a network contains these five pieces of information.

1

Source IP

192.168.1.100

2

Destination IP

10.0.0.50

3

Source Port

52431

4

Destination Port

443

5

Protocol

TCP (6)

Key Insight

The 5-tuple uniquely identifies a session or flow between two endpoints
Changing any single value creates a different flow
SOC analysts use 5-tuples to track, correlate, and investigate network activity
Firewalls, IDS/IPS, and SIEM systems all rely on 5-tuple matching

Why Does This Matter for SOC Analysts?

Firewall Rules

Firewall policies match on 5-tuple values to permit or deny traffic. Understanding this helps you read and write effective rules.

NetFlow Analysis

NetFlow/IPFIX records are organized by 5-tuple. You'll query flows using these fields constantly.

Threat Hunting

When investigating alerts, you'll pivot on source/destination IPs and ports to find related malicious activity.

Session Correlation

Correlating events across logs requires matching 5-tuples to reconstruct what happened during an incident.

Anatomy of a Network Packet

Let's examine where each tuple element lives within a network packet. Click "Generate New Packet" to see different examples.

Sample Packet

Where Each Tuple Lives

Source IP & Destination IP — IP Header (Layer 3)
Source Port & Destination Port — TCP/UDP Header (Layer 4)
Protocol — IP Header "Protocol" field (6=TCP, 17=UDP, 1=ICMP)

Common Protocol Numbers

Number	Protocol	Description	Has Ports?
1	ICMP	Internet Control Message Protocol (ping, traceroute)	No
6	TCP	Transmission Control Protocol (reliable, connection-oriented)	Yes
17	UDP	User Datagram Protocol (fast, connectionless)	Yes
47	GRE	Generic Routing Encapsulation (tunneling)	No
50	ESP	Encapsulating Security Payload (IPsec)	No

Reading Flow Records

NetFlow and firewall logs display connection information using 5-tuple format. Practice reading these entries to identify sessions.

Source IP	Src Port	Dest IP	Dst Port	Protocol	Action

Understanding Bidirectional Flows

When a client connects to a server, there are actually two flows:

Outbound Flow (Request)


                            192.168.1.100:52431 → 10.0.0.50:443 (TCP)

Inbound Flow (Response)


                            10.0.0.50:443 → 192.168.1.100:52431 (TCP)

Key Observation

The source and destination swap positions in the return flow
Most tools combine these into a single "session" for analysis
When hunting, search for both directions to see the full picture

Knowledge Check

Score: 0/5