[unisog] Identifying if node is a router or PC

David LaPorte david_laporte at harvard.edu
Mon Jul 16 15:21:52 GMT 2007

PacketFence, an open-source NAC solution I co-develop, does DHCP
fingerprinting like you mention.  We currently have 165 device
fingerprints that include routers, APs, game consoles, operating
systems, etc.

PF may be a bit overkill, since the fingerprinting is just one part, but
it ships with a "dhcp_dumper" utility that just does the fingerprinting.
   We also have a dhcp-finger utility (written in C, not perl) on the
website that uses an XML-based configuration file.  The PF file is a bit
more up-to-date, but only if you need recent fingerprints for PS3,
iPhone, Wii, etc.



Paul FM wrote:
> Whatever does the identifying, would have to work by watching the packets for 
>   DHCP and DNS (very closely, more than the standard DHCP logs), as most of 
> these devices will do DHCP themselves and will proxy dns (through their own 
> internal dns server) - it would have to fingerprint those packets (to try and 
> id the manufacturer).  Other than that, the MAC address is easily (and likely 
> ) forged on these devices, and the nature of NAT makes it very hard to 
> fingerprint the machine by scanning (some of the ports you connect to may go 
> back to the client machine).  And of couse, even a Windows XP Home computer 
> can be a NAT router (very easily).
> On possible way is to use SAMBA as your watcher.  Samba knows the NAME of the 
> connecting machine (as the client knows it) and if you can entice your 
> clients to at least try to connect to a machine running samba, you would be 
> able to watch for multiple Windows clients (names) coming through one IP 
> address (something I should work on myself - thanks for getting me to think 
> about it).
> Also web logs may be able to help a little.
> Frank Bulk wrote:
>> Does anyone know of a program, or preferably, a Perl module, that would
>> allow me to identify if a node is a computer or a broadband router?
>> Information beyond that (such as OS or broadband router model number) would
>> be a bonus.
>> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
>> seem to do that well on routers that are doing NAT.  I would even accept MAC
>> address identification, too, if there was actually an updated list that
>> extended beyond the standard OUI.
>> Any suggestions would be helpful.  I've also looked at p0f and SinFP, and
>> they don't appear to be any more helpful.
>> Regards,
>> Frank
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog

David LaPorte, CISSP, CCNP
Security Manager, Network and Server Systems
Harvard University Information Systems
Email: david_laporte at harvard.edu
  PGP: 0x4DC3E508

More information about the unisog mailing list