Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Detecting NAT?

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      ksoviero
      last edited by

      I was wondering if it is physically possible to detect an extra NAT device on a network?

      In other words, you have a large 10.0.0.0/8 network, and you setup your own 192.168.1.0/24 network inside.

      Can someone on the 10.0.0.0/8 network detect the NAT device as a NAT device, and not just another host?

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        Yes, and you'll find many articles on the Internet about this. The simplest check is to look at the TTL of the packets since different operating systems use different default values. Similarly there are other values in the packet header that can be used.

        Then of course you can look at things like browser user-agent strings and other browser provided information, which may allow you to detect individual machines.

        1 Reply Last reply Reply Quote 0
        • K
          ksoviero
          last edited by

          @Cry:

          Yes, and you'll find many articles on the Internet about this. The simplest check is to look at the TTL of the packets since different operating systems use different default values. Similarly there are other values in the packet header that can be used.

          Then of course you can look at things like browser user-agent strings and other browser provided information, which may allow you to detect individual machines.

          Are these concepts practical for long-term monitoring a network, or are they just proof of concepts?

          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            Practical. The first - TTL checks - has been done by a number of ISPs for a few years now. Both the first 2 I've seen discussed for most of a decade now. Various tools like p0f exist which make this pretty trivial to do.

            The last, browser fingerprints, is another thing I've seen done for years now, though it is harder to do than the above so relatively few will bother with it. It does provide a rich source of information about a network (or individual computer) for those willing to put the effort in (for instance as well as the operating system it will often tell you the patch level and what version of things like Acrobat, Flash, Shockwave, .NET etc are installed).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.