Network Riddle

Chris Rapier rapier at psc.edu
Thu Jun 28 20:15:08 UTC 2001




Larry Sheldon wrote:
> 
> > With an ip matrix containing src/dst ip and ports (of flows, not
> > individual packets) distilled from a 60 second long tcpdump how can you
> > determine who server and who is the client.
> 
> Define "server".
> 
> Define "client".

If you are looking at on the basis of multiple connections then the
server is the one whose port number is stable from connection to
connection (ignoring situations where both the client and server have
stable ports as these are not even 0.5% of any one trace (based on the
analysis of around 10,000 traces collected)). However, you cannot be
assured that the one single and unique flow will not contain a
significant percentage of bits moving along the network. 

And yes, I know this will break down entirely when we reach the
singularity of DoS attacks with randomly generated src and dst ports.
I'm ignoring those for the moment.

I am only looking at TCP at this time. I am not looking for 100%
accuracy in all cases at this time. What the applications are doing
doesn't matter.

At this point I'm thinking that the constraints of the problem making is
unsolvable to the degree of accuracy that I want. I am just hoping to be
proven wrong at this point.



More information about the NANOG mailing list