Identifying characteristics of certain categories network traffic (originating from load balancer or port based NAT)

views:

144

answers:

Identifying characteristics of certain categories network traffic (originating from load balancer or port based NAT)

I'm using a sniffer (such as Wireshark) to monitor network traffic.

I have no prior knowledge of the network topology. My purpose is to identify IPs as load balancers or NAT entry points.

How can I identify that a particular packet originated from a load balancer or has come through a firewall and has had port based network address translation (NAT) performed on it?

What identifying characteristics are there for either use case?

+1 A:

If there is no layer-3 (router) device between your point-of-capture and the balancer/firewall devices are layer-3, you could use the source-MAC to detect where the packets came from.

Actually, a lot depends on how the network appears from where you capture the packets.

Are the load-balancers on a different path/direction from the firewall? Like, is the firewall on the Internet side and the balancers towards the servers (or are they balancing the Internet link)?
Where are the layer-3 devices? Any between the capture point and these other devices? Are the balancer and/or firewall working as layer-3 devices?

nik 2009-06-23 07:50:20

I've edited the question a little; I don't know the LB or firewall device MAC address (or even if they exist).* The LB is balancing the firewall traffic.* There not necessarily any layer-3 devices in the observable topology.

abunetta 2009-06-23 07:59:38

ansaurus

tags:

views:

answers:

Identifying characteristics of certain categories network traffic (originating from load balancer or port based NAT)

related questions