Can signature analysis of DHCP client behaviour identify WinXP clients?
Niall O'Reilly
niall.oreilly at ucd.ie
Mon Nov 11 17:38:47 UTC 2013
Thanks to everyone who sent suggestions.
I have the bit pretty-well between my teeth now, so have enough
helpful information for now.
On 11 Nov 2013, at 13:27, Jean-Francois.TremblayING at videotron.com wrote:
> DHCP fingerprinting based on DHCPv4 options, both their presence
> and their order, proved to be surprinsingly effective and much
> less intrusive than scanning.
Indeed.
Setting up a scanning infrastructure with spanned ports and
boxes to listen on them isn't trivial on our network, even if
some of the boxes could be virtual ones.
> For example, XP SP3 seems to always request these options, in
> exactly this order: 1,15,3,6,44,46,47,31,33,249,43
On 11 Nov 2013, at 14:54, A.L.M.Buxey at lboro.ac.uk wrote:
> check out http://www.fingerbank.org/ - PacketFence NAC system also
> uses these. we started using these fingerprints way back when it was a Finnish
> project IIRC.
I'll have some fun (?) cross-checking that against what I'm
seeing. I've decided to log some useful DHCP fields and options
wvt offline analysis, rather than setting lease variables. My
current configuration fragment is shown below. I prefer this to
growing a subclass list, as it lets me gather new fingerprints
rather than just known ones.
on commit {
log (info, concat (
"DHCPFP",
concat(" from ", binary-to-ascii(16, 8, ":", substring(hardware, 1, 16))),
pick-first-value(concat(" rqpl ", binary-to-ascii(10, 8, ",",
option dhcp-parameter-request-list)), ""),
pick-first-value(concat(" rqlt ", binary-to-ascii(10, 32, "",
option dhcp-lease-time)), ""),
pick-first-value(concat(" vcid ", option vendor-class-identifier), ""),
"" )); }
Thanks and best regards,
Niall O'Reilly
More information about the dhcp-users
mailing list