On Thu, 31 Jan 2002, David Charlap wrote: |+ |+Keith Woodworth wrote: |+> |+> From a technical standpoint how does one detect NAT users over the |+> network? |+ |+You can't deterministically do so, but there are some telltale signs. |+NAT implementations (at least the ones I've seen) tend to choose very |+large port numbers (above 30,000) for the ports that they generate. That was my understanding. |+Anybody who tries to detect NAT through these kinds of heuristic methods |+will end up with a lot of false positives and false negatives. And if |+it becomes a problem, the NAT implementors will simply alter their code |+to make it impossible to distinguish from a single host's traffic. Thats sort of what I thought. Ive looked at some tcpdumps that are coming from a FreeBSD machine doing NAT a while ago to see what was in the packets exactly and I could not see how you could tell that box was doing NAT really. But I'm not completely proficient in deciphering packets so I may have missed something along the way. Keith