[unisog] Identifying if node is a router or PC

Paul FM paulfm at me.umn.edu
Mon Jul 16 14:08:41 GMT 2007

Whatever does the identifying, would have to work by watching the packets for 
  DHCP and DNS (very closely, more than the standard DHCP logs), as most of 
these devices will do DHCP themselves and will proxy dns (through their own 
internal dns server) - it would have to fingerprint those packets (to try and 
id the manufacturer).  Other than that, the MAC address is easily (and likely 
) forged on these devices, and the nature of NAT makes it very hard to 
fingerprint the machine by scanning (some of the ports you connect to may go 
back to the client machine).  And of couse, even a Windows XP Home computer 
can be a NAT router (very easily).

On possible way is to use SAMBA as your watcher.  Samba knows the NAME of the 
connecting machine (as the client knows it) and if you can entice your 
clients to at least try to connect to a machine running samba, you would be 
able to watch for multiple Windows clients (names) coming through one IP 
address (something I should work on myself - thanks for getting me to think 
about it).

Also web logs may be able to help a little.

Frank Bulk wrote:
> Does anyone know of a program, or preferably, a Perl module, that would
> allow me to identify if a node is a computer or a broadband router?
> Information beyond that (such as OS or broadband router model number) would
> be a bonus.
> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
> seem to do that well on routers that are doing NAT.  I would even accept MAC
> address identification, too, if there was actually an updated list that
> extended beyond the standard OUI.
> Any suggestions would be helpful.  I've also looked at p0f and SinFP, and
> they don't appear to be any more helpful.
> Regards,
> Frank
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul Markfort   Info: http://www.menet.umn.edu/~paulfm

More information about the unisog mailing list