– measuring the Internet.

Network Architectures and Services

The extended NAT tests are a collection of tests that require raw sockets or take much more time than the usual NAT tests. To run the test you need:

  • A Linux PC with a mobile broadband modem (USB or integrated).
  • Python 2, python-scapy and python-netifaces installed
  • Agree to run the client as root

Some notes about the client and the measurements:

  • The client adds some iptables rules, these rules are removed again after the experiments:
    • Block the TCP RST messages from the Linux kernel.
    • Directly accept all traffic to and from the server. Otherwise a configured firewall with connection tracking could disturb the measurements.
  • The complete tests take around 2 hours and generate traffic up to 40 MB
  • You can limit the duration of the timeout test, which takes by default one hour.
  • There is a test that opens 213 UDP and TCP connections, which must be enabled explicitly.
  • The client contains the compiled binary of tracebox. If you do not want to run this binary as root, just delete tools/tracebox.
  • The result is a JSON file that contains all details from the experiments. An evaluation script is also part of the client, so you get an overview about your ISPs settings.

Run the tests

To run the tests, download the client here and unpack it:

$ unzip middlebox-testing-raw-sockets-master-*.zip
$ cd middlebox-testing-raw-sockets-master-...

You need to know the interface name of your modem, use ip a to get it. As mentioned before you can disable or restrict some tests. A description of all executed tests can be found below.

Short timeout test without port space exhaustion test

The timeout test takes only 10 minutes now:

$ sudo python -i ppp0 -s --max-timeout 10

Normal timeout test without port space exhaustion test

The timeout test takes 60 minutes by default:

$ sudo python -i ppp0 -s

With port space exhaustion test (most useful for us)

The port space exhaustion test open 213 UDP and TCP connections.

$ sudo python -i ppp0 -s --enable-port-exhaustion

Submitting the results

After the tests are finished, you get the file result.json. Please send this file to hertle (at) and also add the name of your ISP. Thank you!

See your results

You can run the following command to get an overview about the test results:

$ python result.json

You can also have a look at the first results while the tests are still running!

Included experiments

Port allocation strategy

This test should detect a correlation between the internal port and the assigned public port number. It is possible that the port number is preserved by the NAT, but there can also be another allocation pattern or a random allocation.

During this test, the following requests are done several time: the client sends a packet to the server and the server replies with the observed public IP and port number.

This exchange is done 100 times for UDP and TCP, once for sequentially increasing port numbers and then again for randomly shuffled port numbers. So all in all this exchange is done 400 times.

Timeout test

The goal of this test is to determine the time until an unused NAT mapping is removed again. This value differs for TCP and UDP, for UDP it is also relevant if traffic was seen in one or both directions. Additionally the UDP timeout may be higher after a STUN exchange.

The following message exchange happens during the test: the client sends a packet to the server and therefore creates the mapping. This packet contains a certain timeout value, the server then waits for the specified time and sends a reply. If the NAT mapping still exists after this timeout, the client receives the response and we know that the configured timeout in the NAT device must be higher.

This simple test is done for increasing timeouts, for UDP we expect the timeout to be less then 10 minutes. For TCP a timeout up to one hour is tested.

Port space exhaustion

An interesting value is the maximal number of existing NAT mappings per client, so this test opens 213 UDP or TCP connections. There is a small gap between two following outgoing connections, so we can observe if new connections are rejected or old mappings are removed after reaching the limit.

Hole punching

During NAT hole punching usually a connection to a closed remote port is opened, so as a result an ICMP error message is sent back and received by the NAT. It is important that the mapping is not removed as a reaction of the ICMP error. This test simulates these incoming ICMP messages and detects the behaviour of the NAT:

Several ICMP message types are tested for TCP and UDP:

  • ICMP destination unreachable
  • ICMP port unreachable
  • ICMP TTL exceeded


The STUN algorithm is executed for UDP using the pystun library. As result the detected NAT type and public endpoint are saved.


This is a normal traceroute for UDP and TCP.

IP spoofing test

An IP packet with a spoofed source IP address is sent to the server, the payload is an UDP packet. The result of this test is whether IP spoofing works or not.

Tracebox (external test)

Tracebox is a tool to detect packet modifications from middleboxes. More details can be found on