views:

144

answers:

1

I'm using a sniffer (such as Wireshark) to monitor network traffic.

I have no prior knowledge of the network topology. My purpose is to identify IPs as load balancers or NAT entry points.

How can I identify that a particular packet originated from a load balancer or has come through a firewall and has had port based network address translation (NAT) performed on it?

What identifying characteristics are there for either use case?

+1  A: 

If there is no layer-3 (router) device between your point-of-capture and the balancer/firewall devices are layer-3, you could use the source-MAC to detect where the packets came from.

Actually, a lot depends on how the network appears from where you capture the packets.

  • Are the load-balancers on a different path/direction from the firewall? Like, is the firewall on the Internet side and the balancers towards the servers (or are they balancing the Internet link)?
  • Where are the layer-3 devices? Any between the capture point and these other devices? Are the balancer and/or firewall working as layer-3 devices?
nik
I've edited the question a little; I don't know the LB or firewall device MAC address (or even if they exist).* The LB is balancing the firewall traffic.* There not necessarily any layer-3 devices in the observable topology.
abunetta