Knowledge base:
Doing NAT discovery with ByteBlower API
Posted by Pieter Vandercammen, Last modified by Vincent De Maertelaere on 22 July 2020 10:00 AM

This article explain shortly how implement NAT discovery with the ByteBlower API. We'll focus on the basic use-case and provide pointers for more in-depth info. Some experience with FrameBlasting using the ByteBlower API is assumed. Throughout the text we'll use Python but the same principles also apply to the Tcl version of our API.

NAT discovery in the ByteBlower GUI is enabled in the Port View. No such method is available in the API reference for the ByteBlower. Luckily implementing NAT discovery is very easy.

Before we start let's briefly make the setup clear. We'll use the terms upstream and downstream. In this text we'll use them as followed:

  • upstream is all traffic out of the LAN and into the public network. This traffic is never blocked but its addressed are modified when leaving the local network
  • downstream traffic is all traffic from the public network into the local one. It's the reverse direction of upstream. This traffic not modified but tends to be blocked when attempting to enter the LAN. Through NAT discovery we attempt to create a gate for the traffic to pass through.

A good starting point for NAT discovery is first sending traffic between two interfaces in the local network.This is the basic example shown on our GitHub page. You can do this by connecting both interfaces to the same modem or access Point.

Next is creating Upstream FrameBlasting UDP traffic.  This requires one ByteBlower interface in the private network and one outside. As mentioned above, although the addresses are translated, the upstream traffic isn't blocked, at the wan_port is will received with a different source IP address and different source UDP port. The easiest way is to count all this traffic is by leaving the BPF filter empty. Keep in mind this counts all traffic now, including test-runs from other users.

     trigger = wan_port.RxTriggerBasicAdd()

The RxTriggerBasic is a traffic that only counts traffic. The next step is capturing the raw frame-data, very similar to how you'd use Wireshark. This is possible with the ByteBlower API using a different kind of filter: RxCaptureBasic. The example code below shows how to add this filter. Unlike the previous trigger, this type needs to be started explicitly. This filter has a performance impact, but on most systems receiving multiple Mbits/s is no issue.

    captureRaw = wan_port.RxCaptureBasicAdd()

The final step in the NAT discovery is dissecting the received packets to learn the translated addresses. The ByteBlower API offers you the raw Ethernet frame as it was received. With an external library, SCAPY, you can convert these bytes something easier to inspect in Python.

from scapy.all import *

# Process the response: retrieve all packets.
for f in sniffed.FramesGet():
    data = bytearray(f.BufferGet())
    raw = Ether(data)
    if IP in raw and UDP in raw:
        discovered_ip = raw['IP'].getfieldval('src')
        discovered_udp_port = raw['UDP'].getfieldval('sport')
        print('Discovered IP: %s' % discovered_ip)
        print('Discovered UDP port: %s' % discovered_udp_port)

Finally the discovered public IP and UDP port now have a NAT-entry. You can use them as destination for downstream traffic. Without any upstream traffic, this typically remains saved for about 5 minutes.

More info, beyond the basic NAT use-case can be found in the following article:

(0 vote(s))
Not helpful

Comments (0)

We to help you!