[unisog] Identifying if node is a router or PC

Huba Leidenfrost huba at uidaho.edu
Tue Jul 17 05:47:00 GMT 2007


Assuming you have sniffing access and know which routers are yours on your
networks, why not choose a vantage point and watch TTL values being
decremented and IP ID range shifts?  Only passage through a router should
decrement the TTL value.  IP IDs usually are in a running range from each
other; the same PC from behind a NAT box should have a consistently
incrementing set of IP IDs.  Combine those with User-Agent: string watching
from HTTP packets and you have a pretty decent combination of techniques to
spot your routers vs. PCs.  You could also throw into the mix mining of
netflow data to see which PCs are auto-updating (detect which are visiting
their vendors update site/s).

Anyway, just some thoughts.  If you want some perl code to do the IP ID and
TTL mining, shoot me some email and I can share.  I got some of the code
from an individual at Baylor.edu.  I have not added the "User-Agent" or
netflow mining yet but it's on the huge to-do list of ideas for a rainy day.
Maybe you'd like to add that part. ;-)  I was just interested in seeing how
accurate the TTL + IP ID bit was without too much effort. It's pretty

Beauty is in the eye of the beholder and all that,

Huba Leidenfrost
huba at uidaho.edu

More information about the unisog mailing list