drwxr-xr-x 15 4.0K Jan 24 11:43 ..
-rw-r--r--  1 2.1K Feb 18  2007 FAQ
-rw-r--r--  1   99 Dec 28  2010 Platforms
-rw-r--r--  1 3.6K Feb 13  2011 README
-rw-r--r--  1  25K May 17  2005 natdet-1.0.5.tar.gz
-rw-r--r--  1  28K Apr 15  2010 natdet-
-rw-r--r--  1  28K Feb 22  2007 natdet-1.0.6.tar.gz
-rw-r--r--  1  28K Mar 11  2011 natdet-1.0.7.tar.gz
-rw-r--r--  1  29K May 11  2011 natdet-devel.tar.gz
lrwxrwxrwx  1   19 Feb 10  2013 natdet-latest.tar.gz -> natdet-1.0.7.tar.gz
-rw-r--r--  1 368K Feb 14  2011 natdet-screenshot-1.png
-rw-r--r--  1  336 Jan 22  2006 natdet_secured.png
-rw-r--r--  1 4.0K Feb 13  2011 signatures

  (c) Marcin Ulikowski 

Okay, so what's that?
NATDet is quite small but very useful (especially for network administrators)
tool. By using it, you're able to detect guys who share internet connection
illegaly, without your authorization and of course without payment.
As you see, with NATDet you can safe some money and time for catching packets
and hand-parsing them (grep, awk, etc). If you're some b0fh, NATDet is for you.

It's too beautiful to be real, don't you think?
No, I don't. Me and many other guys (thanks for testing) use it in our networks
and NATDet does very effective job. It also detects smart dudes who play with
TTL (+1 increasing, set to static, etc), with Linux router which shares
connection for other Windows box. Of course it works with other combinations,
but it's most popular example (also Windows shares for Windows).

Show me!
No problem. NATDet is easy to use. You need to select a device to listen to,
or you can use first avalible, detected by NATDet. You should take a look at
verbose output option (-v switch), which prints some useful informations about
used factors.
Here you have short demo:

[*] 20:22:57 19-08-2004: NAT at for 3 system(s) [100%]
    Used factors: OSGENRE TSTAMP TTL   |         |             |
                     |       |    |    |         |             |
    OS difference ---'       |    |    |         |             |
    TCP timestamp difference '    |    |         |             |
    TTL difference ---------------'    |         |             |
    (illegal) router address ----------'         |             |
    Number of used systems behind masquerade ----'             |
    Probability -----------------------------------------------'
In most cases probability is 100%. By default, NATDet reports masquerade only
if probability is more than 50% so you can have a solid basics to talk with
some bad user. If you need to write some logs, switch -l  is for you.
But if you don't like reading logs, use natstat.c which is pretty good NATDet
logs parser. By one command you can create nice statistics.

Any suggestions how to use it more effective?
Yes, setting some BPF (tcpdump-like) filter expression is a very good idea.
You can tell NATDet to read packets only from selected network/host. Try this:

# natdet -v -i eth0 'src host'
# natdet -v 'src net mask'

Read more about filter rules in man tcpdump.

Damn, it doesn't work...
Ups, sorry. NATDet requires pcap library (minimum 0.6.x). You can download it
from http://www.tcpdump.org/ or install from some package if avalible (must be)
Download latest avalible version. Still nothing? Please contact me with full
specification of platform you're running on.

Helping out
OS fingerprints are needed (just send dumps of some SYN packets). Also send
some comments/suggestions or compilation/running problems. Bugs reports are
welcome. Contact me via e-mail with detailed information of platform you're
running on.