North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
- From: Chris Rapier
- Date: Thu Jun 28 15:31:12 2001
So, I've a problem which is probably best though of as a riddle...
With an ip matrix containing src/dst ip and ports (of flows, not
individual packets) distilled from a 60 second long tcpdump how can you
determine who server and who is the client.
1) You cannot assume that you will have access to the syn, syn/ack or
2) You cannot assume that well known ports are actually well known.
Ergo, seeing port 80 does not necessarily indicate the corresponding
host is a server.
3) You are only seeing things half duplex. In other words, you only see
inbound or outbound traffic at any one time but you can tell if what you
are seeing is inbound or outbound.
I've been banging my head against a wall with this for a while. None of
the solutions I can think of seem terribly good.
These include - looking for multiple flows with the same source or dst
IP and tracking how many times any one port appears. If it appears in
some percentage of the connections then you know that port is stable and
probably a server. This doesn't work if you only have one flow.
Looking at the size of the packets. If the average size indicates ACKs
then you can at least determine directionality. Which may or may not be
Any ideas? Has anyone done anything on this before?
Pittsburgh Supercomputing Center