0

I'm using a sniffer (such as Wireshark) to monitor network traffic.

I have no prior knowledge of the network topology. My purpose is to identify IPs as load balancers or NAT entry points.

How can I identify that a particular packet originated from a load balancer or has come through a firewall and has had port based network address translation (NAT) performed on it?

What identifying characteristics are there for either use case?

David Resnick
  • 4,891
  • 5
  • 38
  • 42
  • Why do you care, for one thing? For another, why should there be identifying characteristics at all? – John Saunders Jun 23 '09 at 10:25
  • I care because knowing things like this is the purpose of my application. I don't know that there are identifying characteristics--the question is phrased optimistically. I'm just hoping that there are. – David Resnick Jun 23 '09 at 11:36

1 Answers1

1

If there is no layer-3 (router) device between your point-of-capture and the balancer/firewall devices are layer-3, you could use the source-MAC to detect where the packets came from.

Actually, a lot depends on how the network appears from where you capture the packets.

  • Are the load-balancers on a different path/direction from the firewall? Like, is the firewall on the Internet side and the balancers towards the servers (or are they balancing the Internet link)?
  • Where are the layer-3 devices? Any between the capture point and these other devices? Are the balancer and/or firewall working as layer-3 devices?
nik
  • 13,254
  • 3
  • 41
  • 57
  • I've edited the question a little; I don't know the LB or firewall device MAC address (or even if they exist). * The LB is balancing the firewall traffic. * There not necessarily any layer-3 devices in the observable topology. – David Resnick Jun 23 '09 at 07:59