So, I've a problem which is probably best though of as a riddle... With an ip matrix containing src/dst ip and ports (of flows, not individual packets) distilled from a 60 second long tcpdump how can you determine who server and who is the client. Restrictions: 1) You cannot assume that you will have access to the syn, syn/ack or close packets. 2) You cannot assume that well known ports are actually well known. Ergo, seeing port 80 does not necessarily indicate the corresponding host is a server. 3) You are only seeing things half duplex. In other words, you only see inbound or outbound traffic at any one time but you can tell if what you are seeing is inbound or outbound. I've been banging my head against a wall with this for a while. None of the solutions I can think of seem terribly good. These include - looking for multiple flows with the same source or dst IP and tracking how many times any one port appears. If it appears in some percentage of the connections then you know that port is stable and probably a server. This doesn't work if you only have one flow. Looking at the size of the packets. If the average size indicates ACKs then you can at least determine directionality. Which may or may not be entirely worthless. Any ideas? Has anyone done anything on this before? Chris Rapier Network Programmer Pittsburgh Supercomputing Center
With an ip matrix containing src/dst ip and ports (of flows, not individual packets) distilled from a 60 second long tcpdump how can you determine who server and who is the client.
Define "server". Define "client". -- -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- . . - L. F. (Larry) Sheldon, Jr. - . Unix Systems and Network Administration . - Creighton University Computer Center-Old Gym - . 2500 California Plaza . - Omaha, Nebraska, U.S.A. 68178 Two identifying characteristics - . lsheldon@creighton.edu of System Administrators: . - 402 280-2254 (work) Infallibility, and the ability to - . 402 681-4726 (cellular) learn from their mistakes. . - 402 332-4622 (residence) - . http://www.creighton.edu/~lsheldon Adapted from Stephen Pinker . -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
Larry Sheldon wrote:
With an ip matrix containing src/dst ip and ports (of flows, not individual packets) distilled from a 60 second long tcpdump how can you determine who server and who is the client.
Define "server".
Define "client".
If you are looking at on the basis of multiple connections then the server is the one whose port number is stable from connection to connection (ignoring situations where both the client and server have stable ports as these are not even 0.5% of any one trace (based on the analysis of around 10,000 traces collected)). However, you cannot be assured that the one single and unique flow will not contain a significant percentage of bits moving along the network. And yes, I know this will break down entirely when we reach the singularity of DoS attacks with randomly generated src and dst ports. I'm ignoring those for the moment. I am only looking at TCP at this time. I am not looking for 100% accuracy in all cases at this time. What the applications are doing doesn't matter. At this point I'm thinking that the constraints of the problem making is unsolvable to the degree of accuracy that I want. I am just hoping to be proven wrong at this point.
Define "server".
Define "client".
If you are looking at on the basis of multiple connections then the server is the one whose port number is stable from connection to connection (ignoring situations where both the client and server have stable ports as these are not even 0.5% of any one trace (based on the analysis of around 10,000 traces collected)).
For all practical purposes, the server is the process that is listening for incoming connections, while the client is the process that is issuing active opens to a server. There's no requirement for stable port numbers, and the roles are often flip-flopped around from their traditional interpretations (FTP-DATA, H.323, games, etc). -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
For all practical purposes, the server is the process that is listening for incoming connections, while the client is the process that is issuing active opens to a server. There's no requirement for stable port numbers, and the roles are often flip-flopped around from their traditional interpretations (FTP-DATA, H.323, games, etc).
Yes, there is no absolute requirement but in terms of real world applications this is how most of them seem to act. I am not trying to take into account every variable or possiblity, only those that roughly approximate observed traffic.
participants (3)
-
Chris Rapier -
Eric A. Hall -
Larry Sheldon