| Well, fair enough. Let me explain a bit how it would be done. Finding the "first packets" is not as easy as you may think. The two fields in the network protocol that matter are the destination address (DST) and the endpoint ID (EID). These identify the flow uniquely. I'll write this header as DST:EID. So you find some packet that has, let's say 1000:100 as the header. Now, that flow was established at some point in the past with two packets, that are sent between components called the flow allocators. Flow allocator packets are all sent to a fixed EID, 1. So there will have been an exchange in the network of a packet with 1000:1, and a packet send back from 1000 to the source, SRC:1 (you don't know the source yet). The contents of the first packet will be (relevant fields only)
1000:1:SRC:X
with SRC the source address, and X an endpoint ID chosen by the source. When the destination receives this, it generates its EID=100 and sends the following information to the source's flow allocator:
SRC:1:X:100 The source knows from X that the message is from 1000. This is enough information for both endpoints to know the <ADDR, EID> pair of their peers. An interceptor doesn't know SRC or X. You could look for all packets and find that "100" field, but how do you know it was sent by 1000? It will take quite some traffic flow analysis to match these two packets. Probably it will be easier to try to match the actual data flows. Now take into account that networks have multiple layers, and all flows are established this way. It's definitely not impossible. But it's harder than just reading the first X bytes off a packet. |