So, I've a problem which is probably best though of as a riddle... With an ip matrix containing src/dst ip and ports (of flows, not individual packets) distilled from a 60 second long tcpdump how can you determine who server and who is the client. Restrictions: 1) You cannot assume that you will have access to the syn, syn/ack or close packets. 2) You cannot assume that well known ports are actually well known. Ergo, seeing port 80 does not necessarily indicate the corresponding host is a server. 3) You are only seeing things half duplex. In other words, you only see inbound or outbound traffic at any one time but you can tell if what you are seeing is inbound or outbound. I've been banging my head against a wall with this for a while. None of the solutions I can think of seem terribly good. These include - looking for multiple flows with the same source or dst IP and tracking how many times any one port appears. If it appears in some percentage of the connections then you know that port is stable and probably a server. This doesn't work if you only have one flow. Looking at the size of the packets. If the average size indicates ACKs then you can at least determine directionality. Which may or may not be entirely worthless. Any ideas? Has anyone done anything on this before? Chris Rapier Network Programmer Pittsburgh Supercomputing Center