[unisog] Identifying if node is a router or PC

Michael Hornung hornung at cac.washington.edu
Mon Jul 16 15:34:03 GMT 2007

I'm coming to this thread late; somehow I missed postings prior to this 
one.  I have some questions about what specifically it is you're trying to 

Are you looking to distinguish devices that are actual branded "broadband 
routers" (i.e. off-the-shelf appliance devices) from any other customer 
devices, or are you looking for all devices serving the purpose of 
"broadband router" (e.g. including customer linux boxes doing NAT and 

Are you seeking only tools you can use to query devices directly, in 
addition to monitoring logs from central services you may be offering 
(e.g. DHCP, DNS)?  Or do you also have the ability to monitor customer 
network traffic to satisfy your needs?

 Michael Hornung          Computing & Communications 
 hornung at washington.edu   University of Washington

On Mon, 16 Jul 2007 at 09:08, Paul FM wrote:

|Whatever does the identifying, would have to work by watching the packets for 
|  DHCP and DNS (very closely, more than the standard DHCP logs), as most of 
|these devices will do DHCP themselves and will proxy dns (through their own 
|internal dns server) - it would have to fingerprint those packets (to try and 
|id the manufacturer).  Other than that, the MAC address is easily (and likely 
|) forged on these devices, and the nature of NAT makes it very hard to 
|fingerprint the machine by scanning (some of the ports you connect to may go 
|back to the client machine).  And of couse, even a Windows XP Home computer 
|can be a NAT router (very easily).
|On possible way is to use SAMBA as your watcher.  Samba knows the NAME of the 
|connecting machine (as the client knows it) and if you can entice your 
|clients to at least try to connect to a machine running samba, you would be 
|able to watch for multiple Windows clients (names) coming through one IP 
|address (something I should work on myself - thanks for getting me to think 
|about it).
|Also web logs may be able to help a little.
|Frank Bulk wrote:
|> Does anyone know of a program, or preferably, a Perl module, that would
|> allow me to identify if a node is a computer or a broadband router?
|> Information beyond that (such as OS or broadband router model number) would
|> be a bonus.
|> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
|> seem to do that well on routers that are doing NAT.  I would even accept MAC
|> address identification, too, if there was actually an updated list that
|> extended beyond the standard OUI.
|> Any suggestions would be helpful.  I've also looked at p0f and SinFP, and
|> they don't appear to be any more helpful.
|> Regards,
|> Frank
|> _______________________________________________
|> unisog mailing list
|> unisog at lists.dshield.org
|> https://lists.sans.org/mailman/listinfo/unisog
|The views and opinions expressed above are strictly
|those of the author(s).  The content of this message has
|not been reviewed nor approved by any entity whatsoever.
|Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
|unisog mailing list
|unisog at lists.dshield.org

More information about the unisog mailing list