We still do not know much about the topology we are dealing with. The fact that only ten machines show up as sources (Figure 2.4) lets us speculate that the device with the MAC address 00:00:0c:04:b2:33 is a network address translation (NAT) gateway. To support this claim, we ran a query that shows the IP time to live (TTL) values per source IP addresses. We would expect exactly one TTL per IP address, except for a network address translation (NAT) gateway which guards machines with different operating systems. Why different operating systems? Assuming that the NAT gateway protects a non-routed network, the resulting TTLs for packets leaving the network would be the same for all the packets, unless machines used different initial TTL values. As [24] shows, different operating systems utilize different initial TTL numbers. Therefore our claim that a NAT gateway shows a variety of TTLs if it protects different operating systems. Let us verify whether this is the case in our data set. Figure 2.10 shows the TTLs per source IP.
The result supports our speculation that we are dealing with a NAT device. As a next step we tried to determine the operating systems associated with the IP addresses. Using [24], we mapped these addresses to operating systems, which turned out to be impossible. The initial TTL vales for operating systems are commonly 30, 32, 60, 64, 128 or 255. Assuming the end systems are not too far away from the gateway, most of the values showing up should be in close proximity to these numbers. What we see in the logs is very different though. There are values like 36, which has to be associated with either 60 or 64. This would result in a hop count of (60-36=24). This does not seems right. Someone must be playing with these values.
The fact that we have TTLs that are in a contiguous range, suggests that there is a routed network behind the gateway. However, the chain of 122, 123, 124 and 125 would indicate that there is a machine in each of the subnets. Something seems to be wrong. We will later investigate this along with the strange TTLs discussed in the last paragraph (see Section 3.6 in [15]).
Another fact that remains unclear is why there are ten different IP addresses showing up as sources from device 00:00:0c:04:b2:33. That would indicate that we have a firewall with ten translated IP addresses. However, the IP addresses are in very different networks. This leads to the speculation that the firewall has ten interfaces. Another explanation would be that the log files were tempered with to present this very picture.
