Q: When I run natdet -i eth0 I always get "[!]: syntax error in filter rule". A: Probably, the problem is in your pcap library. Try to update to newer version (0.7.x and up), then run NATDet again. Should work. This problem is solved (tcp[13] == 2) in version 1.0.2 and up. Q: Why does NATDet detect masquerade for so long time? A: NATDet needs time to receive packets from minimum two host from "evil" network. If nobody is active, NATDet is unable to detect NAT, sorry. Q: How to bypass it? A: Well, I have no idea ;-) Q: I use VMWare to emulate Windows box on my Linux machine. Will NATDet detect illegal masquerade on my computer? A: Probably yes, it will. If you used a virtual (W)LAN card, NATDet would detect you as illegal router. However, there's one condition: original and emulated OS must be used in the same time. In that case, NATDet will warn your administrator about masquerade with maximum 50% probability. For real this value is generally about 30% and lower. Unfortunately, VMWare-like software may cause fake warnings. Q: Does NATDet counts operating systems _only_ behind router? A: NATDet counts systems including router. Note, that systems reported as "Unknown" are NOT counted. Q: I'm not sure how to interprete "for 2 system(s)" from NATDet output. Does it mean 2 machines behind the router? A: No, it's just number of _different_ operating systems (not machines) including router OS. For instance: if router is running Linux 2.4 and shares connection for two Windows XP machines, NATDet will tell You about 2 systems (not 3). Hope this "ASCII art" will help: Windows XP ----- \ NATDet: "for 2 system(s)" Linux 2.4 ------+----------- [router] ---- ... ---- (INTERNET) / Windows XP ----- Q: NATDet detects NAT at some "exotic" hosts when I run it on my local interface (eth0). Why? A: NATDet reads outgoing and incoming packets through Your ethernet link. Setting up a BPF rule helps solve this problem, for example: # natdet -i eth0 'src net 192.168.0.0 mask 255.255.255.0'