[unisog] Identifying if node is a router or PC
david_laporte at harvard.edu
Mon Jul 16 15:21:52 GMT 2007
PacketFence, an open-source NAC solution I co-develop, does DHCP
fingerprinting like you mention. We currently have 165 device
fingerprints that include routers, APs, game consoles, operating
PF may be a bit overkill, since the fingerprinting is just one part, but
it ships with a "dhcp_dumper" utility that just does the fingerprinting.
We also have a dhcp-finger utility (written in C, not perl) on the
website that uses an XML-based configuration file. The PF file is a bit
more up-to-date, but only if you need recent fingerprints for PS3,
iPhone, Wii, etc.
Paul FM wrote:
> Whatever does the identifying, would have to work by watching the packets for
> DHCP and DNS (very closely, more than the standard DHCP logs), as most of
> these devices will do DHCP themselves and will proxy dns (through their own
> internal dns server) - it would have to fingerprint those packets (to try and
> id the manufacturer). Other than that, the MAC address is easily (and likely
> ) forged on these devices, and the nature of NAT makes it very hard to
> fingerprint the machine by scanning (some of the ports you connect to may go
> back to the client machine). And of couse, even a Windows XP Home computer
> can be a NAT router (very easily).
> On possible way is to use SAMBA as your watcher. Samba knows the NAME of the
> connecting machine (as the client knows it) and if you can entice your
> clients to at least try to connect to a machine running samba, you would be
> able to watch for multiple Windows clients (names) coming through one IP
> address (something I should work on myself - thanks for getting me to think
> about it).
> Also web logs may be able to help a little.
> Frank Bulk wrote:
>> Does anyone know of a program, or preferably, a Perl module, that would
>> allow me to identify if a node is a computer or a broadband router?
>> Information beyond that (such as OS or broadband router model number) would
>> be a bonus.
>> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
>> seem to do that well on routers that are doing NAT. I would even accept MAC
>> address identification, too, if there was actually an updated list that
>> extended beyond the standard OUI.
>> Any suggestions would be helpful. I've also looked at p0f and SinFP, and
>> they don't appear to be any more helpful.
>> unisog mailing list
>> unisog at lists.dshield.org
David LaPorte, CISSP, CCNP
Security Manager, Network and Server Systems
Harvard University Information Systems
Email: david_laporte at harvard.edu
More information about the unisog