With an ip matrix containing src/dst ip and ports (of flows, not
individual packets) distilled from a 60 second long tcpdump how can you
determine who server and who is the client.
Define "server".
Define "client".
Larry Sheldon wrote:
> With an ip matrix containing src/dst ip and ports (of flows, not
> individual packets) distilled from a 60 second long tcpdump how can you
> determine who server and who is the client.Define "server".
Define "client".
If you are looking at on the basis of multiple connections then the
server is the one whose port number is stable from connection to
connection (ignoring situations where both the client and server have
stable ports as these are not even 0.5% of any one trace (based on the
analysis of around 10,000 traces collected)). However, you cannot be
assured that the one single and unique flow will not contain a
significant percentage of bits moving along the network.
And yes, I know this will break down entirely when we reach the
singularity of DoS attacks with randomly generated src and dst ports.
I'm ignoring those for the moment.
I am only looking at TCP at this time. I am not looking for 100%
accuracy in all cases at this time. What the applications are doing
doesn't matter.
At this point I'm thinking that the constraints of the problem making is
unsolvable to the degree of accuracy that I want. I am just hoping to be
proven wrong at this point.
> Define "server".
>
> Define "client".If you are looking at on the basis of multiple connections then the
server is the one whose port number is stable from connection to
connection (ignoring situations where both the client and server have
stable ports as these are not even 0.5% of any one trace (based on the
analysis of around 10,000 traces collected)).
For all practical purposes, the server is the process that is listening
for incoming connections, while the client is the process that is issuing
active opens to a server. There's no requirement for stable port numbers,
and the roles are often flip-flopped around from their traditional
interpretations (FTP-DATA, H.323, games, etc).
For all practical purposes, the server is the process that is listening
for incoming connections, while the client is the process that is issuing
active opens to a server. There's no requirement for stable port numbers,
and the roles are often flip-flopped around from their traditional
interpretations (FTP-DATA, H.323, games, etc).
Yes, there is no absolute requirement but in terms of real world
applications this is how most of them seem to act. I am not trying to
take into account every variable or possiblity, only those that roughly
approximate observed traffic.