[unisog] DHCP analysis
Frank Bulk
frnkblk at iname.com
Tue May 23 14:54:08 GMT 2006
Thanks, I had another private email that confirmed the same. I was wrong
about device identification, it was OS identification, but the principle
applies the same.
This stuff looks only at the ordering of the DHCP options, not even the
self-identification values sometimes sent (Option 43 on PacketCable modems),
or the construct of the packet.
Regards,
Frank
-----Original Message-----
From: Frank Sweetser [mailto:fs at WPI.EDU]
Sent: Tuesday, May 23, 2006 9:33 AM
To: frnkblk at iname.com; UNIversity Security Operations Group
Subject: Re: [unisog] DHCP analysis
On Tue, May 23, 2006 at 09:16:31AM -0500, Frank Bulk wrote:
> I've been racking my brain, Google, and Google Desktop, and I cannot
recall
> the reference I've read about a whitepaper or software package that
> performed host analysis based on DHCP requests, both their option
requests,
> option ordering, packet assembly, and of course, MAC address.
>
> Can anyone help me track this down?
SysAdmin had an article on what University of Kansas did.
http://www.nts.ku.edu/about/projects/dhcp/NGDHCP.pdf
I've written a simple perl analyzer at
http://erwin.wpi.edu/~fs/dhcprint/
plus packetfence does it as well.
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
More information about the unisog
mailing list