Help understanding script output


Hi All, I have a script that I’ve been using to determine who is talking to who. I’m trying to better understand the output, but not strong with python. Here’s a snippet of the script output.

I’m trying to clarify the bytes in vs. bytes out.
At first glance, one would assume that in the first case, initiated the conversation and in the second case, initiated, but that does not always seem to be the case. So my question is, based on the main processing of the following script, is it even possible to determine which system initiated the conversation? Knowing this would be critical for creating firewall rules. If both systems are initiating, a firewall rule will be needed in both directions, but if only one system is initiating and EH is simply seeing the return traffic, only a single rule would be needed.

for device in devices:
print "Your device ID is " + device.device_id

if(device.ipaddr4): # only care about L3 devices
    print "Grabbing Device " + str(device.ipaddr4)
    ipaddr = device.ipaddr4
    oid = device.oid
        host = device.dns_name
        host = "No DNS Name Captured"
    Failed = True
            # Grab Bytes In and Bytes Out by L7 protocol
            metrics = ehop.get_exstats_total("extrahop.device.app_detail", "device", [(oid, lookback, 0)], ["bytes_in", "bytes_out"], {'cycle': "slow"})
            Failed = False
            # Ff the Extrahop is backed up.. wait 5 seconds and try again
            print "Extrahop Backed up.. waiting 5 secs"

    for stat in metrics.stats:
        for L7 in stat.bytes_out:     #Loop through L7 protocols
            for peer in L7.value:     #Loop through peer devices per L7 protocol
                    peerName =     #Check to see if we have a host value 
                    peerName = "No DNS name gathered"     #If no host value, let the user know
                #write to the screen and to the file
                f.write(str(ipaddr) + "," + str(peer.key.addr) + ",,,,,," + str(L7.key.str) + ",,," + str(host) + "," + str(peerName) + "," + "Bytes Out" + ","  + str(peer.value) + "," + + "\n")
        for L7 in stat.bytes_in:      #Do same thing as above, but for Bytes In
            for peer in L7.value:
                    peerName =
                    peerName = "No DNS name gathered"
                f.write(str(ipaddr) + "," + str(peer.key.addr) + ",,,,,," + str(L7.key.str) + ",,," + str(host) + "," + str(peerName) + "," + "Bytes In" + "," +  str(peer.value) + "," + + "\n")



Looking a little closer at the output, it appears that I’m definitely seeing response traffic as “bytes in” in many cases. A good example is NTP. There’s no reason an external IP would be “initiating” an NTP request to an internal server (Bytes In) so in that case this must be a response. What may help here is a timestamp. Anyone know how I can add a timestamp request to the script? Thanks!