Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Network Riddle

  • From: Chris Rapier
  • Date: Thu Jun 28 16:26:05 2001



Larry Sheldon wrote:
> 
> > With an ip matrix containing src/dst ip and ports (of flows, not
> > individual packets) distilled from a 60 second long tcpdump how can you
> > determine who server and who is the client.
> 
> Define "server".
> 
> Define "client".

If you are looking at on the basis of multiple connections then the
server is the one whose port number is stable from connection to
connection (ignoring situations where both the client and server have
stable ports as these are not even 0.5% of any one trace (based on the
analysis of around 10,000 traces collected)). However, you cannot be
assured that the one single and unique flow will not contain a
significant percentage of bits moving along the network. 

And yes, I know this will break down entirely when we reach the
singularity of DoS attacks with randomly generated src and dst ports.
I'm ignoring those for the moment.

I am only looking at TCP at this time. I am not looking for 100%
accuracy in all cases at this time. What the applications are doing
doesn't matter.

At this point I'm thinking that the constraints of the problem making is
unsolvable to the degree of accuracy that I want. I am just hoping to be
proven wrong at this point.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.