arkem
commented
6 years ago Could you attach a picture of the output plot? And if you feel comfortable could you attach a copy of your capture file? I'd be happy to take a look for you.
Open ahdkhalid opened 6 years ago
arkem
commented
6 years ago Could you attach a picture of the output plot? And if you feel comfortable could you attach a copy of your capture file? I'd be happy to take a look for you.
ahdkhalid
commented
6 years ago Sorry, that is my bad, it was a long working day, and very very surprisingly I confused x and y axises.
but however, can you explain me this plot.
How can this show me the number of clients behind NAT? as I know there are two
and what is Y axis?
and will you state which algorithm is it? is there a paper regarding this algorithm.
and here is the pcap file attached:
arkem
commented
6 years ago This technique relies on operating system specific behavior that may have changed in recent versions of operating systems (I think I last used this code in 2013). Last time I was working in the field Windows systems has linear incrementing ipid fields so you would see a line on the plot and for Linux and Mac they would use a random value (though Linux machines would increment the number for subsequent packets in the same flow creating small lines). I just took a quick Windows 10 packet capture and it looks like the ipid strategy has changed, I see something more like Linux where the field increments for subsequent packets in a flow but is randomized for each new flow.
I'd recommend trying your experiment again with a larger capture (I would generally have thousands of packets), make sure you include a tcp dump style filter on the command line (e.g. ip src 10.0.2.15). For Linux like operating systems you can also count them using the TCP timestamp optional field with the tcptsval option to the script but this won't work on Windows because it doesn't include that field in its TCP traffic.
My first blog post on this technique has more details (including a bibliography): http://memeover.arkem.org/2012/02/identifying-computers-behind-nat-with.html
The key papers are: Source attribution for network address translated forensic captures - https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B9hc84IflFGbODRjMzc4ZjgtNWJiNS00NWRlLWJhYjQtZTk3Mjg1ODc0ODA3&pli=1#
Network forensics - A Practical Introduction - https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B9hc84IflFGbZTkyODRjYzUtNzNiYi00MzNhLWI3OTEtM2M4ZWRkMjQzZDk4&pli=1#
Hello, Firstly, I struggled so much trying to run the script. The problem was installing pcap module which I was encountering to pip errors. Finally I run it by installing pypcap module. Anyway! I captured traffic of two clients behind NAT (Windows and Lubuntu) who browsed google, facebook and two other websites and that is it. Total number of packets captured: 100 I run script like so: python plotpcap.py packetcapture.cap number ipid ip src 10.0.2.15 but plot I get is weird. There were only two clients. why there are so many dots? and the x-axis goes to 60000 while at max it can be 100 (total number of packets) even if we consider each packet matched the filter(s).
Any clue?