------------------------------------------------------------------------------- NATDet - README (c) Marcin Ulikowski ------------------------------------------------------------------------------- Okay, so what's that? ------------------------------------------------------------------------------- NATDet is quite small but very useful (especially for network administrators) tool. By using it, you're able to detect guys who share internet connection illegaly, without your authorization and of course without payment. As you see, with NATDet you can safe some money and time for catching packets and hand-parsing them (grep, awk, etc). If you're some b0fh, NATDet is for you. It's too beautiful to be real, don't you think? ------------------------------------------------------------------------------- No, I don't. Me and many other guys (thanks for testing) use it in our networks and NATDet does very effective job. It also detects smart dudes who play with TTL (+1 increasing, set to static, etc), with Linux router which shares connection for other Windows box. Of course it works with other combinations, but it's most popular example (also Windows shares for Windows). Show me! ------------------------------------------------------------------------------- No problem. NATDet is easy to use. You need to select a device to listen to, or you can use first avalible, detected by NATDet. You should take a look at verbose output option (-v switch), which prints some useful informations about used factors. Here you have short demo: [*] 20:22:57 19-08-2004: NAT at 192.168.0.69 for 3 system(s) [100%] Used factors: OSGENRE TSTAMP TTL | | | | | | | | | OS difference ---' | | | | | TCP timestamp difference ' | | | | TTL difference ---------------' | | | (illegal) router address ----------' | | Number of used systems behind masquerade ----' | Probability -----------------------------------------------' In most cases probability is 100%. By default, NATDet reports masquerade only if probability is more than 50% so you can have a solid basics to talk with some bad user. If you need to write some logs, switch -l is for you. But if you don't like reading logs, use natstat.c which is pretty good NATDet logs parser. By one command you can create nice statistics. Any suggestions how to use it more effective? ------------------------------------------------------------------------------- Yes, setting some BPF (tcpdump-like) filter expression is a very good idea. You can tell NATDet to read packets only from selected network/host. Try this: # natdet -v -i eth0 'src host 192.168.0.69' # natdet -v 'src net 192.168.0.0 mask 255.255.255.0' Read more about filter rules in man tcpdump. Damn, it doesn't work... ------------------------------------------------------------------------------- Ups, sorry. NATDet requires pcap library (minimum 0.6.x). You can download it from http://www.tcpdump.org/ or install from some package if avalible (must be) Download latest avalible version. Still nothing? Please contact me with full specification of platform you're running on. Helping out ------------------------------------------------------------------------------- OS fingerprints are needed (just send dumps of some SYN packets). Also send some comments/suggestions or compilation/running problems. Bugs reports are welcome. Contact me via e-mail with detailed information of platform you're running on. Some useful links ------------------------------------------------------------------------------- "Transmission Control Protocol" http://www.faqs.org/rfcs/rfc793.html "Internet Protocol" http://www.faqs.org/rfcs/rfc791.html "TCP Extensions for High Performance" http://www.faqs.org/rfcs/rfc1323.html "p0f - passive OS fingerprinting tool" http://lcamtuf.coredump.cx/p0f/ "masqdet" http://toxygen.net/misc/masqdet-a1.tar.gz