SlashDot: "Comcast Gunning for NAT Users"

Keith Woodworth kwoody at
Thu Jan 31 22:02:38 UTC 2002

On Thu, 31 Jan 2002, David Charlap wrote:

|+Keith Woodworth wrote:
|+> From a technical standpoint how does one detect NAT users over the
|+> network?
|+You can't deterministically do so, but there are some telltale signs. 
|+NAT implementations (at least the ones I've seen) tend to choose very
|+large port numbers (above 30,000) for the ports that they generate.

That was my understanding.

|+Anybody who tries to detect NAT through these kinds of heuristic methods
|+will end up with a lot of false positives and false negatives.  And if
|+it becomes a problem, the NAT implementors will simply alter their code
|+to make it impossible to distinguish from a single host's traffic.

Thats sort of what I thought. Ive looked at some tcpdumps that are coming
from a FreeBSD machine doing NAT a while ago to see what was in the
packets exactly and I could not see how you could tell that box was doing
NAT really. But I'm not completely proficient in deciphering packets so I
may have missed something along the way.


More information about the NANOG mailing list