[unisog] Identifying if node is a router or PC

Frank Bulk frnkblk at iname.com
Mon Jul 16 16:02:30 GMT 2007


Good question -- I'm looking for those generic broadband routers that
customers can power cycle.  Those who use PC-based linux boxes doing NAT are
going to tell us up front and we can move more quickly through the 
trouble-shooting process.

I would prefer something that lets me query directly as opposed to a passive
tool or something that queries logs, though I would be OK with some kind of 
log checker.  I do not have the ability to monitor customer network traffic
in a manner that satisfied my needs.


-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Michael Hornung
Sent: Monday, July 16, 2007 10:34 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Identifying if node is a router or PC

I'm coming to this thread late; somehow I missed postings prior to this
one.  I have some questions about what specifically it is you're trying to

Are you looking to distinguish devices that are actual branded "broadband
routers" (i.e. off-the-shelf appliance devices) from any other customer
devices, or are you looking for all devices serving the purpose of
"broadband router" (e.g. including customer linux boxes doing NAT and

Are you seeking only tools you can use to query devices directly, in
addition to monitoring logs from central services you may be offering
(e.g. DHCP, DNS)?  Or do you also have the ability to monitor customer
network traffic to satisfy your needs?

 Michael Hornung          Computing & Communications
 hornung at washington.edu   University of Washington

On Mon, 16 Jul 2007 at 09:08, Paul FM wrote:

|Whatever does the identifying, would have to work by watching the packets
|  DHCP and DNS (very closely, more than the standard DHCP logs), as most of
|these devices will do DHCP themselves and will proxy dns (through their own
|internal dns server) - it would have to fingerprint those packets (to try
|id the manufacturer).  Other than that, the MAC address is easily (and
|) forged on these devices, and the nature of NAT makes it very hard to
|fingerprint the machine by scanning (some of the ports you connect to may
|back to the client machine).  And of couse, even a Windows XP Home computer
|can be a NAT router (very easily).
|On possible way is to use SAMBA as your watcher.  Samba knows the NAME of
|connecting machine (as the client knows it) and if you can entice your
|clients to at least try to connect to a machine running samba, you would be
|able to watch for multiple Windows clients (names) coming through one IP
|address (something I should work on myself - thanks for getting me to think
|about it).
|Also web logs may be able to help a little.
|Frank Bulk wrote:
|> Does anyone know of a program, or preferably, a Perl module, that would
|> allow me to identify if a node is a computer or a broadband router?
|> Information beyond that (such as OS or broadband router model number)
|> be a bonus.
|> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
|> seem to do that well on routers that are doing NAT.  I would even accept
|> address identification, too, if there was actually an updated list that
|> extended beyond the standard OUI.
|> Any suggestions would be helpful.  I've also looked at p0f and SinFP, and
|> they don't appear to be any more helpful.
|> Regards,
|> Frank
|> _______________________________________________
|> unisog mailing list
|> unisog at lists.dshield.org
|> https://lists.sans.org/mailman/listinfo/unisog
|The views and opinions expressed above are strictly
|those of the author(s).  The content of this message has
|not been reviewed nor approved by any entity whatsoever.
|Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
|unisog mailing list
|unisog at lists.dshield.org
unisog mailing list
unisog at lists.dshield.org

More information about the unisog mailing list