Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS

Table of Contents

NATDET - Network Address Translation

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

The detection method reveals the IP addresses used by more devices (using NAT). Because the detection method uses specific behavior patterns of distinct operating systems, the detection is limited only to NATs with at least two devices with different operating systems.

This method consists of the following submethod:

  • General: Reports the usage of the NAT (Network Address Translation) mechanism in the network. The detection is based on the fact that different operating systems have various network manifestations such as default TCP SYN packet sizes, TCP window sizes, different TTLs, or uses different UserAgent strings.

Method configuration

It is recommended to apply this method only for the IP addresses of the monitored network segment. The right place for traffic monitoring is the central switch. The detection method requires proprietary IPFIX fields by Flowmon Networks. It is necessary to activate the User-Agent fields from HTTP OS & Application info extension and the whole L3/L4 extended fields extension. This is possible at the Flowmon probe in the FCC → Monitoring ports. This page includes the monitoring port on which you may find and activate the extension (in the Advanced settings tab).

Method parameters

  • DistinctSYNSize: Minimal number of TCP SYN packets with distinct size for single IP address.

  • DistinctTTL: Minimal number of TCP SYN packets with distinct TTL set for single IP address.

  • DistinctTCPWindow: Minimal number of TCP SYN packets with distinct TCP window set for single IP address.

  • DistinctOS: Minimal number of distinct operating systems (from HTTP user agent) for single IP address.

  • MinimalProbability: Minimal probability that the given IP address corresponds to more different devices (there is a NAT).

  • MaxHop: Maximum number of hops expected in the respective network (that is, the maximum number of routers that can be passed by the single packet). Serves for the NAT detection based on nonstandard TTL values.

Assigned filter

The filter is used for restricting source IP addresses.

Interpretation of results

This detection method alerts to the IP addresses corresponding to many different devices using NAT (physical eventually virtual devices).

TitleResults for “How to create a CRG?”Also Available inAlert