Forums
Main Category
General (Technical,...
Deep Packet Inspect...
 
Notifications
Clear all

Deep Packet Inspection

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jhup 16 years ago
9 Posts
7 Users
0 Reactions
660 Views
RSS
 thall
(@thall)
Trusted Member
Joined: 16 years ago
Posts: 53
Topic starter 12/12/2009 5:54 pm  

Hi there, I don't want to give any details but me and a few people on our course believe deep packet inspection is going on with our ISP in regards to NAT detection, we have worked out that on an ubuntu system with a 64 TTL value set as standard it will go through but if we change this to 63 so it appears that it has gone through a NAT router the packet is stopped. Other than doing this test does anyone know of a way to prove that they are unpacking our data down to the IP layer?

Thanks in advance.


   
Quote
ecophobia
 ecophobia
(@ecophobia)
Estimable Member
Joined: 17 years ago
Posts: 127
17/12/2009 6:37 pm  

Can you repost this on 1st April next year please?


   
ReplyQuote
 CaptainF
(@captainf)
Trusted Member
Joined: 17 years ago
Posts: 60
17/12/2009 7:20 pm  

Pretty much all consumer internet connections make use of NAT otherwise how would you connect your 15 PCs to your home broadband? Without NAT the internet would have run out of IP addresses a long long time ago.

And besides TTL and NAT have nothing to do with each other?

NAT translates your connection to allow multiple internal IPs to use one external facing IP. TTL is to do with the maximumn hops a packet can go through until the packet gets dropped.


   
ReplyQuote
 thall
(@thall)
Trusted Member
Joined: 16 years ago
Posts: 53
Topic starter 17/12/2009 7:26 pm  

I wasnt saying that the ISP was making use of NAT ofcourse I know they use it I apologise if I wasn't clear they are using NAT detection and one way of detecting NAT is hop count computation reading the IP header using the TTL.


   
ReplyQuote
 ba2llb
(@ba2llb)
Eminent Member
Joined: 16 years ago
Posts: 38
17/12/2009 8:45 pm  

And besides TTL and NAT have nothing to do with each other?

Network Address Translators decrement IP TTL values of all translated packets. An article written by Peter Phaal "Detecting NAT Devices using sFlow" addresses this issue.

In the article Phaal writes, "The NAT detection technique is based on two observations about the IP TTL (Time To Live) field.

1. Host operating systems have characteristic initial TTL values. This property of individual operating system implementations of TCP/IP is well known and can be used as part of a "fingerprint" to identify the operating system that a host is running merely by examining its traffic. The technique is well described in Passive OS Fingerprinting Details and Techniques by Toby Miller.
2. NAT devices or gateways decrement the TTL on packets that they forward."


   
ReplyQuote
 kovar
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
17/12/2009 10:05 pm  

Greetings,

If I remember correctly, all routers should decrement the TTL even if they're not running NAT.

I guess I should go read the article.

-David


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
18/12/2009 8:59 am  

kovar is correct that all routers should decrement TTL.

But, for example bridges, firewalls, proxies, and reverse proxies can be set to or not to decrease TTL.

This can be done on routers too. JUNOS command is "no-propagate-ttl". I forgot the IOS. Some will even allow increase of TTL…

If you can set TTL to 63, what stops you from setting it to 65, it is a byte long after all.


   
ReplyQuote
 thefuf
(@thefuf)
Reputable Member
Joined: 17 years ago
Posts: 262
18/12/2009 2:28 pm  

Network Address Translators decrement IP TTL values of all translated packets. An article written by Peter Phaal "Detecting NAT Devices using sFlow" addresses this issue.

http//www.forensicswiki.org/wiki/NAT_detection


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
20/12/2009 11:31 pm  

If and only if they follow the rules.

Network Address Translators decrement IP TTL values of all translated packets. An article written by Peter Phaal "Detecting NAT Devices using sFlow" addresses this issue.

http//www.forensicswiki.org/wiki/NAT_detection


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: