Larry Sheldon wrote:
With an ip matrix containing src/dst ip and ports (of flows, not individual packets) distilled from a 60 second long tcpdump how can you determine who server and who is the client.
Define "server".
Define "client".
If you are looking at on the basis of multiple connections then the server is the one whose port number is stable from connection to connection (ignoring situations where both the client and server have stable ports as these are not even 0.5% of any one trace (based on the analysis of around 10,000 traces collected)). However, you cannot be assured that the one single and unique flow will not contain a significant percentage of bits moving along the network. And yes, I know this will break down entirely when we reach the singularity of DoS attacks with randomly generated src and dst ports. I'm ignoring those for the moment. I am only looking at TCP at this time. I am not looking for 100% accuracy in all cases at this time. What the applications are doing doesn't matter. At this point I'm thinking that the constraints of the problem making is unsolvable to the degree of accuracy that I want. I am just hoping to be proven wrong at this point.