Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Network Riddle

  • From: Chris Rapier
  • Date: Thu Jun 28 15:31:12 2001

So, I've a problem which is probably best though of as a riddle...

With an ip matrix containing src/dst ip and ports (of flows, not
individual packets) distilled from a 60 second long tcpdump how can you
determine who server and who is the client.

1) You cannot assume that you will have access to the syn, syn/ack or
close packets. 
2) You cannot assume that well known ports are actually well known.
Ergo, seeing port 80 does not necessarily indicate the corresponding
host is a server.
3) You are only seeing things half duplex. In other words, you only see
inbound or outbound traffic at any one time but you can tell if what you
are seeing is inbound or outbound. 

I've been banging my head against a wall with this for a while. None of
the solutions I can think of seem terribly good. 

These include - looking for multiple flows with the same source or dst
IP and tracking how many times any one port appears. If it appears in
some percentage of the connections then you know that port is stable and
probably a server. This doesn't work if you only have one flow. 

Looking at the size of the packets. If the average size indicates ACKs
then you can at least determine directionality. Which may or may not be
entirely worthless.

Any ideas? Has anyone done anything on this before?

Chris Rapier
Network Programmer
Pittsburgh Supercomputing Center

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.